CVE-2024-36788
Description
Netgear WNR614 JNR1010V2 N300-V1.1.0.54_1.0.1 does not properly set the HTTPOnly flag for cookies. This allows attackers to possibly intercept and access sensitive communications between the router and connected devices.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Netgear WNR614 router fails to set HTTPOnly flag on cookies, enabling attackers on the local network to intercept sensitive session data.
Vulnerability
The Netgear WNR614 router running firmware version N300-V1.1.0.54_1.0.1 fails to set the HTTPOnly flag on cookies used by the web management interface [1]. This omission allows client-side scripts to access the cookies, which are intended to be inaccessible to JavaScript for security reasons.
Exploitation
An attacker on the same local network can exploit this by performing a man-in-the-middle attack or by leveraging a cross-site scripting vulnerability (if present) to steal the session cookie [1]. The attacker must be able to intercept or inject traffic to the router's management interface.
Impact
Successful theft of the session cookie enables the attacker to impersonate an authenticated administrator, gaining full control over the router's configuration and potentially compromising all devices connected to the network [1].
Mitigation
Netgear has not released a firmware update to address this issue, and the device is approaching end-of-life [1]. Users should replace the router with a supported model, disable remote management, and ensure the management interface is only accessible from trusted local networks.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The router's web management interface does not set the HTTPOnly flag on session cookies, allowing client-side scripts and network observers to access session tokens."
Attack vector
An attacker on the same local network can intercept HTTP traffic to the router (e.g., using tcpdump or Wireshark) and capture session cookies that lack the HTTPOnly flag [ref_id=1]. Because the cookie is accessible to client-side scripts, any malicious webpage visited by an authenticated administrator while their session is active can also exfiltrate the session token via JavaScript [ref_id=1]. The advisory demonstrates that session tokens are often sequential integers (e.g., 1001), making them additionally predictable and susceptible to brute-force hijacking [ref_id=1].
Affected code
The advisory identifies the Netgear WNR614 router's web management interface as the affected component, specifically the session handling mechanism that issues cookies without the HTTPOnly flag [ref_id=1]. The advisory does not specify exact source files or functions, but notes that the router's HTTP responses set cookies such as `sessionID=1001` without the HTTPOnly attribute [ref_id=1].
What the fix does
No patch has been released by Netgear for this vulnerability [ref_id=1]. The advisory states that the WNR614 is approaching or has reached end-of-life status, and Netgear's official guidance recommends device replacement as the only complete remediation [ref_id=1]. As an interim mitigation, the advisory recommends disabling remote management, isolating the router's management interface to a dedicated VLAN, and implementing network-level monitoring to detect abnormal traffic [ref_id=1].
Preconditions
- networkAttacker must be on the same local network as the target router, or the router's management interface must be exposed to the internet
- authAn administrator must have an active authenticated session with the router
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.