Netgear has admitted that multiple security vulnerabilities in its business-grade BR200 and BR500 VPN routers can’t be fixed due to technical limitations outside of their control, and is offering users a free or discounted replacement router.
The routers and the vulnerabilities
Netgear’s BR200 and BR500 VPN routers are marketed as remote networking solutions for small to medium-size businesses and home offices, and provide features such as a site-2-site VPN connection, a firewall, remote configuration and monitoring, and more.
Netgear doesn’t detail the vulnerabilities reported by security researcher Joel St. John, but simply says that, “In order to be exploited, these vulnerabilities require the computer managing the router to visit a malicious website or click a malicious link while accessing the router’s management GUI,” and that they score a high 7.1 on the CVSS (3.0) scale.
The company says it is possible to mitigate the risk of exploitation by isolating the network using VLANs for enhanced security, using the the router’s MAC access control lists (ACLs) to restrict router management to specific computers, and making sure that the computer used to access the router’s management GUI is equipped with anti-virus, anti-malware, and anti-phishing software.
“Do not visit any unknown or suspicious links either in a browser or email client. Close all other browser tabs other than the router’s management GUI. Make sure that you log out when you are not actively managing your router,” the company advises.
These actions can be performed remotely by the users’ IT departments.
Still, they are aware that implementing these measures may not be some companies’ and users’ preferred option. For them, Netgear offers either a free SXR30 (Orbi Pro WiFi 6 Mini AX1800 Router) or a 50% discount on an SXR30 (Orbi Pro WiFi 6 Mini AX1800 Router) – depending on when the purchase was made.