Netgear WNR614 URL improper authentication
Description
A vulnerability was found in Netgear WNR614 1.1.0.28_1.0.1WW. It has been classified as critical. This affects an unknown part of the component URL Handler. The manipulation with the input %00currentsetting.htm leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This issue appears to have been circulating as an 0day since 2024.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authentication bypass in Netgear WNR614 router via null byte injection in URL allows remote unauthenticated access to restricted pages.
Vulnerability
The Netgear WNR614 router firmware version 1.1.0.28_1.0.1WW contains an authentication bypass vulnerability in the URL Handler component. By appending %00currentsetting.htm to a URL that normally requires authentication, the router incorrectly treats the request as authenticated, allowing access to restricted pages. This issue has been circulating as a zero-day since 2024 [1].
Exploitation
An unauthenticated remote attacker can exploit this by sending a crafted HTTP request to the router. For example, accessing http://target/*.htm%00currentsetting.htm bypasses the login prompt and displays the page content without authentication. No special privileges or user interaction is required [1].
Impact
Successful exploitation allows an attacker to view sensitive configuration pages and potentially modify settings, leading to full compromise of the router's administrative interface. This could result in information disclosure, network manipulation, and further attacks on connected devices [1].
Mitigation
As of the publication date (2025-06-03), no official patch has been released by Netgear. The vendor's website [2] does not list a fixed version. Users should consider replacing the device if it is end-of-life, or implement network-level access controls to restrict management interface exposure. The vulnerability is publicly known and may be exploited [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/Shuanunio/CVE_Requests/blob/main/Netgear/WNR614/ACL%20bypass%20Vulnerability%20in%20Netgear%20WNR614.mdmitreexploit
- vuldb.commitrethird-party-advisory
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
- www.netgear.commitreproduct
News mentions
0No linked articles in our index yet.