HighCISA KEVExploited in the wildPublic exploit

Command Injection in NETGEAR R-Series and D-Series Routers cgi-bin Handler

IdentifiersCVE-2016-6277CWE-78

CVE-2016-6277 is a remote command injection vulnerability affecting multiple NETGEAR routers, including R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7900, R8000, D6220, D6400, and D7000, as well as possibly additional models. According to the provided content, affected firmware versions include R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, and R8000 before 1.0.3.26.Beta, with R6900, D6220, D6400, D7000 also listed as affected in the source material. The flaw allows remote attackers to execute arbitrary shell commands by supplying shell metacharacters in PATH_INFO directed to the router's cgi-bin endpoint. This is consistent with OS command injection in a web-exposed CGI request handler, where unsanitized path data is incorporated into a shell command or shell-interpreted context.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation permits unauthenticated remote arbitrary command execution on the affected router. An attacker can run commands in the device operating environment, which can lead to full compromise of the appliance, installation of malware or botnet payloads, modification of configuration, persistence, traffic interception or redirection, and use of the device as a foothold for further network activity. The provided context specifically notes in-the-wild exploitation by Mirai-derived botnets such as Wicked against exposed devices on port 8443.

Mitigation

If you can’t patch tonight, do this now.

If immediate firmware updates are not possible, restrict or disable remote administrative access to the router web interface, especially internet exposure of HTTPS management services such as port 8443 referenced in the provided context. Limit management access to trusted internal hosts or a dedicated management network, enforce firewall rules to block untrusted inbound access, and monitor for suspicious requests to cgi-bin paths containing shell metacharacters or anomalous PATH_INFO values. Because this vulnerability has been used by botnets for opportunistic exploitation, removing internet exposure is a key interim control.

Remediation

Patch, then assume compromise.

Upgrade affected NETGEAR devices to fixed firmware versions or later. Based on the provided content, remediation includes updating at least to R6250 1.0.4.6.Beta, R6400 1.0.1.18.Beta, R6700 1.0.1.14.Beta, R7000 1.0.7.6.Beta, R7100LG 1.0.0.28.Beta, R7300DST 1.0.0.46.Beta, R7900 1.0.1.8.Beta, and R8000 1.0.3.26.Beta, or newer vendor-supplied releases. For models listed as affected without explicit fixed versions in the provided content, apply the latest NETGEAR firmware that addresses CVE-2016-6277. If patch status cannot be confirmed, treat the device as vulnerable until verified otherwise.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

NetgearD6220 Firmwareoperating_system

NetgearD6400 Firmwareoperating_system

NetgearR6250 Firmwareoperating_system

NetgearR6400 Firmwareoperating_system

NetgearR6700 Firmwareoperating_system

NetgearR6900 Firmwareoperating_system

NetgearR7000 Firmwareoperating_system

NetgearR7100lg Firmwareoperating_system

NetgearR7300dst Firmwareoperating_system

NetgearR7900 Firmwareoperating_system

NetgearR8000 Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

foresiet blogNews

Dec 9, 2025

The Resurgence of Mirai: Jackskid Botnet and Escalating IoT Threats in November 2025

A vulnerability in Netgear routers exploited by Mirai variants for IoT botnet propagation.

foresiet blogNews

Dec 9, 2025

The Resurgence of Mirai: Jackskid Botnet and Escalating IoT Threats in November 2025

A vulnerability in Netgear routers that was exploited by the Wicked Mirai variant for IoT botnet propagation.

securityaffairsNews

Oct 10, 2025

RondoDox Botnet targets 56 flaws across 30+ device types worldwide

A command injection vulnerability in Netgear R7000/R6400 routers exploited by RondoDox.

vulncheck blogNews

Mar 2, 2023

The VulnCheck 2022 Exploited Vulnerability Report - A Year Long the CISA KEV Catalog - Blog - VulnCheck Review of the CISA KEV Catalog

A vulnerability heavily used by named botnets (details not specified in content).

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2016-6277

NVD

nvd.nist.gov/vuln/detail/CVE-2016-6277

MITRE CWE · CWE-78

cwe.mitre.org

Patch

kb.netgear.com/000036386/CVE-2016-582384

Third Party Advisory

packetstormsecurity.com/files/155712/Netgear-R6400-Remote-Code-Execution.html

Third Party Advisory

exploit-db.com/exploits/40889

Third Party Advisory

exploit-db.com/exploits/41598

Third Party Advisory

kb.cert.org/vuls/id/582384

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-6277