Analysis Summary

A critical authentication bypass vulnerability, tracked as CVE-2025-4978 with a CVSS score of high, has been discovered in NETGEAR DGND3700v2 routers running firmware version V1.1.00.15_1.00.15NA, exposing thousands of devices to remote attacks. This flaw allows cybercriminals to gain full administrative access without requiring valid credentials by simply sending an unauthenticated HTTP GET request to the endpoint /BRS_top.html. When accessed, this endpoint sets an internal variable start_in_blankstate to 1, effectively disabling the router’s HTTP Basic Authentication. The issue lies in the mini_http server, which is responsible for serving the router's administrative web interface.

The vulnerability is rooted in a backdoor-like mechanism in the router’s authentication logic. When start_in_blankstate=1, the function responsible for verifying credentials (sub_404930) skips the authentication process altogether. This flaw persists until the device is rebooted or reset, offering attackers persistent unauthorized access. The mini_http server’s request handler (sub_406058) processes all HTTP traffic, making the bypass extremely dangerous and easy to exploit through a web browser. A public proof-of-concept exploit named “Longue vue” demonstrates this attack, underlining the risk to both local and remotely accessible routers.

The impact of this vulnerability is severe. Once exploited, an attacker can modify DNS settings to redirect traffic, install malware, steal credentials from connected devices, and disable key security features such as firewalls and parental controls. The simplicity of the exploit, combined with the widespread usage of the affected router model, poses a significant threat to both home and small business networks, especially where remote management is enabled.

Despite initially claiming they would not patch the flaw due to the product being end-of-life, NETGEAR has released firmware version 1.1.00.26, which addresses the issue. This contradiction raises concerns about vendor transparency and support for aging infrastructure. Security experts recommend that users immediately replace affected routers with supported models. Where immediate replacement isn't feasible, network segmentation and disabling remote management can serve as temporary mitigation strategies. The disclosure underscores critical issues surrounding device lifecycle management and the growing risks of unsupported network hardware.

Impact

• Sensitive Credential Theft
• Security Bypass
• Unauthorize Access

Indicators of Compromise

CVE

• CVE-2025-4978

Affected Vendors

Remediation

• Refer to the NETGEAR Security Advisory for patch, upgrade, or suggested workaround information.
• Immediately replace NETGEAR DGND3700v2 routers with newer, supported models to eliminate the vulnerability entirely.
• Install firmware version 1.1.00.26, which NETGEAR has quietly released to address this issue, despite labeling the product as out-of-support.
• Turn off remote web management features on the router to prevent external attackers from exploiting the vulnerability over the internet.
• Implement network segmentation to isolate critical devices and limit the impact of a compromised router.
• Since the bypass is reset upon reboot, regularly restarting the device may temporarily clear unauthorized access.
• Keep an eye on DNS settings, connected devices, and administrative logs for signs of unauthorized changes or suspicious activity.
• Establish a policy for retiring end-of-life network equipment to reduce exposure to unpatched vulnerabilities in the future.