New vulnerabilities have been unearthed in 31 models of Netgear routers that could allow hackers to take over devices.

The flaws could allow an attacker to discover or completely bypass any password on a Netgear router, giving them complete control of the router, including the ability to change configuration, turn infected routers into botnets or even upload entirely new firmware.

These new bugs come not too long after flaws discovered in Netgear devices in December, which were “Command Injection” based, showing the increasing severity of the issue in use of these routers.

In a blog post by researchers at Trustwave, the issues were discovered when Simon Kenin, security researcher at Trustwave, was trying to access the web interface of his Netgear VEGN2610 router and couldn't remember the password for it.

He started “manually fuzzing” the web server with different parameters, he discovered a file called “unauth.cgi”.

“I started looking up what that “unauth.cgi” page could be, and I found two publicly disclosed exploits from 2014, for different models that manage to do unauthenticated password disclosure. Booyah! Exactly what I need,” he said. “Those two guys found out that the number we get from unauth.cgi can be used with passwordrecovered.cgi to retrieve the credentials.”

Kenin said he tested it with a different Netgear router and got the same results. He admitted that he even managed to make an error in coding and still managed to unearth credentials.

“This is a totally new bug that I haven't seen anywhere else. When I tested both bugs on different Netgear models, I found that my second bug works on a much wider range of models.”

Kenin said the flaws affect many models. “We have found more than ten thousand vulnerable devices that are remotely accessible. The real number of affected devices is probably in the hundreds of thousands, if not over a million.”

The vulnerability can be used by a remote attacker if remote administration is set to be internet facing. By default, this is not turned on. However, anyone with physical access to a network with a vulnerable router can exploit it locally. This would include public Wi-Fi spaces like cafés and libraries using vulnerable equipment.

“As many people reuse their password, having the admin password of the router gives us an initial foothold on the network. We can see all the devices connected to the network and try to access them with that same admin password,” he said.

He added that it is possible that some of the vulnerable routers could be infected and ultimately used as bots as well.

Kenin said a full description of the flaws as well as a testing script can be found here.

This article originally appeared at scmagazineuk.com