The Microsoft Security Response Center (MSRC) has always been at the forefront of addressing cyber threats, privacy issues, and abuse arising from Microsoft Online Services. Building on our commitment, we have introduced several key updates to the Report Abuse Portal and API, which will significantly improve the way we handle and respond to abuse reports.

The Microsoft Security Response Center (MSRC) has always been at the forefront of addressing cyber threats, privacy issues, and abuse arising from Microsoft Online Services. Building on our commitment, we have introduced several key updates to the Report Abuse Portal and API, which will significantly improve the way we handle and respond to abuse reports.

**Reporting Suspicious OAuth Application**

Based on the recent rise in malicious apps, attacker trends, and customer feedback, we realized the need to provide the option to report malicious OAuth applications. We are excited to announce a new feature in the MSRC Reporting Portal and the supporting API that allows the reporting of suspicious OAuth applications registered in Entra ID. This enhancement is aimed at streamlining the investigation process and enabling a quicker and more precise response to customer reports, including improving our detections of malicious applications. The step-by-step guidance for reporting apps is provided later in this blog post.  

**Reporting Multiple IPs and URLs in a Single Incident**

A common concern from this community has been the inability to report multiple related IPs or URLs in a single abuse report, often resulting in the need to submit multiple reports for the same incident. We have addressed this issue by updating the Abuse Portal to allow reporting of up to 10 IPs and URLs for the same abuse type in one report. The API has also been updated to support this feature without any restrictions on the number, which is particularly beneficial in cases like DDoS attacks. The step-by-step guidance for this is provided later in this blog post.

Summary of incident types that can be reported via the Portal and the API

1.  IP Address Threats
    
    a. Brute Force
    
    b. Denial of Service
    
    c. Illegal
    
    d. Malware
    
    e. Spam
    
2.  URL-related threats
    
    a. Illegal
    
    b. Malware
    
    c. Responsible AI
    
    d. Phishing Website
    
3.  Security Threats
    
    a. Vulnerability
    
4.  OAuth Applications (new)
    
    a. Fraudulent Publisher
    
    b. Suspicious Apps
    
    c. Misuse of Data
    
5.  Community Gallery
    
    a. Malicious Artifact
    
    b. Malicious Text or URL
    
6.  Other
    
    a. CSEAI
    
    b. Outlook Spam
    
    c. Tech Support
    
    d. Subpoena
    
    e. Unsafe site or URL
    
    f. Infringement
    
    g. Bing Bot
    
    h. Privacy
    

**How to report Suspicious OAuth Applications**

There are three categories of incident types available here:

1.  Fraudulent Publisher - an OAuth App’s publisher or developer appears to be fraudulent or seems to be impersonating an authentic publisher.
2.  Suspicious App - an OAuth App is misrepresenting its identity for fraudulent purposes, including impersonating a legitimate app to mislead users or being used in another abusive way.
3.  Misuse of Data - a legitimate OAuth App from a legitimate publisher is mishandling or abusing access to data in a way that violates the terms of a service agreement.

Fill in the associated form to provide the incident details:

1.  Application ID (or client ID, GUID that globally identifies the application in Entra ID)
2.  Incident Date (when you encountered the suspicious app)
3.  Reason for reporting (above three categories)
4.  Additional details that can help us understand the issue better (be as descriptive as possible, such as where you encountered the suspicious app and why you think it’s suspicious)

**How to add multiple IPs and URLs to a single report**

This option can be leveraged when you would like to report multiple entities associated with the same incident or incident type. This cannot be used to report multiple incident types in the same report. Doing so will result in an incorrect report which can be non-actionable.  

Select the incident type you would like to report. This option is available for the following incident types:

While the rest of the form remains the same, you will notice the option to add more IPs and URLs to the report depending on the incident type. You can add up to 10 at a time in a report using the portal. If you need to report more, please use the API.  

**Report Abuse API Endpoint**

The API can be reached at https://api.msrc.microsoft.com/report/v3.0/swagger/v2/swagger.json

**Looking ahead**

The MSRC engineering team’s significant investments in the Abuse Report Portal and API reflect our ongoing dedication to security and customer satisfaction. We are committed to continuous improvement and are already exploring further enhancements to ensure that MSRC remains a leader in responding to online threats.

We encourage our community to use these new features and provide feedback, which is invaluable in our quest to safeguard Microsoft Online Services.

**Questions or feedback?**

For questions or feedback, please either contact us at msrc\_eng\_support@microsoft.com or share your thoughts at https://aka.ms/msrc-report-abuse-feedback.

_Neha Arora, Senior Product Manager, Microsoft Security Response Center_

What’s new in the MSRC Report Abuse Portal and API

New Add-On Empowers SOCs and MSPs to Automate & Orchestrate Incident Response for Microsoft 365.

**SAN FRANCISCO****,** **Jan. 10, 2023** **/PRNewswire/ --** Vade, the global leader in threat detection and response with 1.4 billion mailboxes protected, today announced the availability of Threat Intel & Investigation. An add-on for Vade's flagship product, Vade for M365, Threat Intel & Investigation provides the integrations, intel, and tools for SOCs and MSPs to investigate and respond to email-borne threats transiting through networks.

According to a 2021 report, breaches caused by phishing emails take an average of 213 days to be identified and another 80 days to be contained. This lag time gives cybercriminals the runway they need to conduct additional attacks on an organization, causing even more damage than the initial attack.

"Email is the #1 vector for cyberattacks," said Adrien Gendre, Chief Technology & Product Officer and cofounder at Vade. "Unfortunately, SOCs and MSPs don't always have visibility into how or when an email threat infiltrated their organization or how far it has spread throughout the network. The speed at which today's cybercriminals are working means that organizations cannot afford to lose precious time on incident response."

Vade for M365 is an AI-based email security solution for Microsoft 365 that catches the advanced phishing, spear phishing and malware threats that bypass Microsoft's native security. The Threat Intel & Investigation add-on for Vade for M365 features five core capabilities designed to empower SOCs and MSPs to automate investigations, orchestrate responses and move swiftly and with precision to live threats:

*   **File Inspector:** Deconstructs files and attachments directly in the Vade for M365 interface—without exposing administrators to risk. File Inspector reveals critical details about files and attachments, providing admins with the data required to make faster decisions, cross-check threats across networks and accelerate incident response across affected endpoints and users.
*   **Log Export:** Injects live email and event logs into any security management system, a powerful two-way integration powered by the Vade for M365 API. Connect Vade's email threat intelligence into your organizations' SIEM or SOAR to trigger automation playbooks and enhance your disaster recovery program.
*   **Reported emails:** Automates collection of user-reported emails and clusters similar, unreported emails in one dashboard, speeding user-based incident response and eliminating time-consuming, manual investigations. Receive alerts when users report emails via Outlook and quickly triage and remediate reported emails, similar emails, and forwarded emails with one click.
*   **Download emails/attachments:** Provides access to raw email intelligence for objective evaluation by threat analysts, saving precious time and resources that are typically wasted on searching for and analyzing raw email data.
*   **Add-on for Splunk:** Integrates Vade for M365 with Splunk without the need for custom software development. Combine Vade's threat intelligence with Splunk's SIEM and SOAR capabilities to have better visibility into the threat landscape and actionable insights with which to orchestrate rapid responses.

Vade partners and customers are already experiencing the benefits of Threat Intel & investigation, including Huntington Technology, a US-based MSP offering comprehensive managed services and managed security services:

"One of my helpdesk technicians excitedly came into my office last week. He asked if I had seen the new 'Reported emails' function within Vade," said William Bluford, Vice President, Huntington Technology. "He explained that we can now see which emails are reported as malicious. Not only can we see those emails, but we can see how many users are affected, and we can then remediate and remove those emails from all user mailboxes. This saves time for my helpdesk team and keeps our clients protected."

"Our customers have made clear that they need better visibility into their cybersecurity landscape," Gendre said. "They're challenged to monitor and manage threats from an array of end points, and IT is overburdened by too many complex tools. Threat Intel & Investigation was designed to give our customers the tools they need to thoroughly investigate threats, cross check those threats across their networks, and develop incident response processes—without the burden of complexity."

Threat Intel & Investigation on brings all these capabilities to Vade for M365. Vade's latest innovation will reduce incident response time, eliminate the need for additional security investments, and free up critical IT resources. Threat Intel & Investigation is available today in Vade for M365. To learn more, visit Threat Intel & Investigation.

**About Vade**

Vade is a global cybersecurity company specializing in the development of threat detection and response technology with artificial intelligence. Vade's products and solutions protect consumers, businesses, and organizations from email-borne cyberattacks, including malware/ransomware, spear phishing/business email compromise, and phishing.

Founded in 2009, Vade protects more than 1.4 billion corporate and consumer mailboxes and serves the ISP, SMB, and MSP markets with award-winning products and solutions that help increase cybersecurity and maximize IT efficiency.

To learn more, please visit www.vadesecure.com and follow us on Twitter @vadesecure or LinkedIn https://www.linkedin.com/company/vade-secure/.

SOURCE Vade

Vade Releases Advanced Threat Intel & Investigation Capabilities

Cyberattackers like IPFS because it is resilient to content blocking and takedown efforts.

As has happened with other Web technologies designed for legitimate use, the InterPlanetary File System (IPFS) peer-to-peer network for storing and accessing content in a decentralized fashion has become a potent new weapon for cyberattacks.

Researchers from Cisco Talos this week reported observing multiple malicious campaigns leveraging the IPFS to host phishing kits and malware payloads. For many attackers, the IPFS has become the equivalent of a bulletproof hosting provider that is mostly impervious to takedown efforts, Talos said. Complicating matters for defenders is the fact that the IPFS is often used for legitimate purposes. So, differentiating between benign and malicious IPFS activity is another challenge, the security vendor said.

"Organizations should become familiar with these new technologies and how they are being leveraged by threat actors to defend against new techniques that use them," Talos said in a report summarizing the threat.

**Growing Threat**

This marks at least the second time in recent months that researchers have sounded the alarm on IPFS becoming a hotbed of cybercrime activity.

In July, Trustwave's SpiderLabs noted how its researchers had identified more than 3,000 emails with phishing URLs hosted in the IPFS in a three-month period. Phishing pages that it observed on the IPFS included those that spoofed Microsoft Outlook login pages, Google domains and cloud storage services such as Filebase.io and nftstorage.link. "Phishing techniques have taken a leap by utilizing the concept of decentralized cloud services using IPFS," Trustwave said. The growing use of IPFS by many file storage, Web hosting, and cloud service companies means that attackers have a lot more flexibility in creating new phishing URLs that cannot be easily blocked, the security vendor said.

IPFS is a peer-to-peer file sharing system that Protocol Labs launched in 2015. The network is designed to allow decentralized storage of content. Content stored in the IPFS is mirrored across multiple nodes, or systems that participate in the network. Individuals and others can use IPFS to store different types of data including webpages, files, NFTs, and documents.

Resources stored on the IPFS are assigned unique identifiers. Users can employ the identifier to access the content via IPFS clients or gateways, which are like gateways for accessing content on the Tor network. Because content is mirrored on IPFS, it is always available even if one node goes down.

This has made the IPFS an attractive option for hosting phishing kits and malware for cybercriminals. Because content on the IPFS does not have a static IP address, it cannot be blocked using standard IP blocking and blacklisting mechanisms. Similarly, taking down a node containing phishing pages and malware does little to neutralize a threat because the content is mirrored across multiple nodes. There is also no central authority on the IPFS that law enforcement or security vendors can contact to take down a phishing or malware distributing site.

In an example of how attackers are abusing IPFS, Talos pointed to a phishing campaign in which victims receive an email with an attached PDF that purports to be associated with the DocuSign document signing service. When a user clicks on the "Review Document" link, they are directed to a webpage that appears to be a legitimate Microsoft authentication page but is really a credential-harvesting page hosted on the IPFS network.

In situations where an IPFS gateway might recognize the resource being requested as malicious and block access, attacker simply change the IPFS gateway that is used to retrieve the content, Talos said.

**Phishing Not the Only Threat**

Phishing pages are not the only threat. A growing number of attackers are also leveraging the peer-to-peer network to distribute malicious payloads.

In one campaign that Talos researchers observed, the attacker sent victims a phishing email with a ZIP attachment containing a malware dropper in the form of a PE32 executable. When run, the downloader would reach out to an IPFS gateway and retrieve a second-stage malware payload hosted on the peer-to-peer network. The attack chain ended with the Agent Tesla remote-access Trojan getting dropped on the victim's system.

Talos researchers also found a destructive, disk-wiping malware tool and a full-featured information-stealer called Hannabi Grabber hosted in IPFS nodes.

"Many new Web3 technologies have emerged recently, attempting to provide valuable functionality to users," Talos said in the report. "As these technologies have continued to see increased adoption for legitimate purposes, they have begun to be leveraged by adversaries as well."

The researchers expect the trend to gain momentum as more threat actors realize the IPFS is resilient to content moderation and takedown efforts.

"Organizations should be aware of how these newly emerging technologies are being actively used across the threat landscape and evaluate how to best implement security controls to prevent or detect successful attacks in their environments," the vendor said.

InterPlanetary File System Increasingly Weaponized for Phishing, Malware Delivery

Don’t fuss now — just another spoonful of multifactor authentication to keep the organization strong and the data safer.

Don’t fuss now — just another spoonful of multifactor authentication to keep the organization strong and the data safer.

Like it or not, vegetables are good for us. They reduce our risk of chronic diseases and deliver the vitamins our bodies need. And yet, the CDC reports that only 10% of American adults eat enough veggies — even though they likely know they should. Companies are the same when it comes to security.

There are 921 password attacks every second — almost double what we saw a year ago. Basic security hygiene like multifactor authentication (MFA) can protect against 98% of attacks, but 38% of large companies and 62% of small to midsize companies don’t do it. Enabling MFA adds another layer of protection to prevent threat actors from accessing internal networks. But if strengthening a company’s cybersecurity posture is as easy as enabling MFA, it begs the question: Why won’t companies eat their vegetables?

**What’s Stopping Companies From Enabling MFA?**

Although every enterprise is different, there are a few common trends when it comes to the reasons they don’t deploy MFA.

*   **MFA costs too much:** Security team resources are already limited, so adding an additional tool to their portfolio can be a tough sell. Luckily, some security providers offer MFA for free as part of their security defaults. Security defaults were created to make managing security a little easier. The goal is to ensure that all organizations have at least a basic level of security enabled at no extra cost.
*   **They think their users will hate MFA:** Users want to be productive wherever and whenever they are working without sacrificing their organization’s security. Conditional access is one modern approach to MFA. Instead of prompting a user for a second factor every time they authenticate, security programs can look at several different elements to determine if something has changed or is unusual about this user before prompting them. It looks at things like where the user is signing in from, whether their device is healthy, and if there’s any suspicious behavior — for example, if the user typically signs in from France and someone tries to sign in with their credentials from Seattle at the same time, something is definitely wrong.
    
    End users can also choose how they want to supply the second factor when they do get a prompt. No fancy equipment is required. Users can choose something as simple as an SMS message or phone call, though we recommend stronger authentication methods like an app or specific security key. They can even have multiple devices that use different methods for different environments and have backup devices in case they lose one or forget one at home.
    
    **MFA’s Too Hard to Deploy**
    
    Another reason enterprises give for not implementing MFA is that it’s too difficult to deploy. However, organizations can leverage conditional access policies to protect cloud implementations, as opposed to relying on a physical server or software.
    
    We’ve recently added conditional access templates to make configuring the policies even easier. Security teams can quickly create a new policy from any of the 14 built-in templates. They help companies provide maximum protection for their users and devices and align with the most commonly used policies. These include things like “Require multifactor authentication for admin,” or “Require password change for high-risk users.” Cloud service providers often offer a list of recommended policies, and organizations can target conditional access policies to a specific set of users, apps or devices to easily deploy different policies at scale.
    
    Ultimately, an enterprise must be able to protect its own operations, and its users, from ongoing cybersecurity threats. And enabling MFA is just one tool in a security team’s kit.
    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Editors' Choice

Jeffrey Schwartz, Contributing Writer, Dark Reading

Tara Seals, Managing Editor, News, Dark Reading

Elizabeth Montalbano, Contributor, Dark Reading

Dark Reading Staff, Dark Reading

Webinars

*   How to Protect Your Legacy Software Applications
*   Developing and Testing an Effective Breach Response Plan
*   Cloud Security Essentials
*   Seeing Your Attack Surface Through the Eyes of an Adversary
*   Security Considerations for Working with Cloud Services Providers

Reports

*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   Implementing Zero Trust In Your Enterprise: How to Get Started
*   2021 Data Breach Investigations Report (DBIR)
*   Cloud & Hybrid Security Tooling Report
*   Future Proofing Your Network for 5G

White Papers

*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   Ransomware Resilience and Response: The Next-Generation
*   Ransomware Is On The Rise
*   How Hybrid Work Fuels Ransomware Attacks
*   Implementing Zero Trust In Your Enterprise: How to Get Started

Events

*   Cybersecurity Outlook 2023 - December 13 Event
*   Black Hat Europe - December 5-8 - Learn More
*   \[FREE Virtual Event\] The Identity Crisis

Is MFA the Vegetable of Cybersecurity?

An ongoing cyberattack campaign with apparent ties to China uses a new version of sophisticated JavaScript remote access Trojan JSOutProx and is now targeting banks in the Middle East.

Source: Irina Shi via Shutterstock

The sophisticated threat group behind a complex JavaScript remote access Trojan (RAT) known as JSOutProx has released a new version of the malware to target organizations in the Middle East.

Cybersecurity services firm Resecurity analyzed technical details of multiple incidents involving the JSOutProx malware targeting financial customers and delivering either a fake SWIFT payment notification if targeting an enterprise, or a MoneyGram template when targeting private citizens, the company wrote in a report published this week. The threat group has targeted government organizations in India and Taiwan, as well as financial organizations in the Philippines, Laos, Singapore, Malaysia, India — and now Saudi Arabia.

The newest version of JSOutProx is a very flexible and well-organized program from a development perspective, allowing the attackers to tailor is functionality for the victim's specific environment, says Gene Yoo, CEO of Resecurity.

"It's a malware implant with multiple stages, and it has multiple plug-ins," he says. "Depending on the victim's environment, it goes right in and then actually bleeds them or poisons the environment, depending on what plug-ins are enabled."

The attacks are the latest campaign by a cybercriminal group known as Solar Spider, which appears to be the only group using the JSOutProx malware. Based on the group's targets — typically organizations in India, but also in the Asia-Pacific, Africa, and Middle East regions — it's likely linked to China, Resecurity stated in its analysis.

"By profiling the targets, and some of the details that we obtained in the infrastructure, we suspect that it's related to China," Yoo says.

**"Highly Obfuscated ... Modular Plug-in"**

JSOutProx is well known in the financial industry. Visa, for example, documented campaigns using the attack tool in 2023, including one pointed at several banks in the Asia-Pacific region, the company stated in its Biannual Threats Report published in December.

The remote access Trojan (RAT) is a "highly obfuscated JavaScript backdoor, which has modular plugin capabilities, can run shell commands, download, upload, and execute files, manipulate the file system, establish persistence, take screenshots, and manipulate keyboard and mouse events," Visa stated in its report. "These unique features allow the malware to evade detection by security systems and obtain a variety of sensitive payment and financial information from targeted financial institutions.

JSOutProx typically appears as a PDF file of a financial document in a zip archive. But really, it's JavaScript that executes when a victim opens the file. The first stage of the attack collects information on the system and communicates with command-and-control servers obfuscated via dynamic DNS. The second stage of the attack downloads any of some 14 plug-ins to conduct further attacks, including gaining access to Outlook and the user's contact list, and enabling or disabling proxies on the system.

The RAT downloads plugins from GitHub — or more recently, GitLab — to appear legitimate.

"The discovery of the new version of JSOutProx, coupled with the exploitation of platforms like GitHub and GitLab, emphasizes these malicious actors’ relentless efforts and sophisticated consistency," Resecurity said in its analysis.

**Monetizing Data From Middle East Financials**

Once Solar Spider compromises a user, the attackers collect information, such as primary account numbers and user credentials, and then conduct a variety of malicious actions against the victim, according to Visa's threat report.

"The JSOutProx malware poses a serious threat to financial institutions around the world, and especially those in the AP region as those entities have been more frequently targeted with this malware," the Visa report stated.

Companies should educate employees about how to handle unsolicited, suspicious correspondence to mitigate the threat of the malware, Visa stated. In addition, any instance of the malware must be investigated and completely remediated to prevent reinfection.

Bigger companies and government agencies are more likely to be attacked by the group because Solar Spider has its sights on the most successful firms, Resecurity's Yoo says. For the most part, however, companies don't have to take threat-specific steps but instead focus on defense-in-depth strategies, he says.

"The user should focus on not looking at the shiny object in the sky, like the Chinese are attacking, but on what they need to do is create a better foundation," Yoo says. "Having good patching, network segmentation, and vulnerability management. If you do that, then none of this would" likely impact your users.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Solar Spider Spins Up New Malware to Entrap Saudi Arabian Financial Firms

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 10 and March 17. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for March 10 to March 17

Certain NETGEAR devices are affected by server-side injection. This affects RBK40 before 2.5.1.16, RBR40 before 2.5.1.16, RBS40 before 2.5.1.16, RBK20 before 2.5.1.16, RBR20 before 2.5.1.16, RBS20 before 2.5.1.16, RBK50 before 2.5.1.16, RBR50 before 2.5.1.16, RBS50 before 2.5.1.16, and RBS50Y before 2.6.1.40.

Was this article helpful?   Yes     No

Associated CVE IDs: None 

First published: 2021-09-25

NETGEAR has released fixes for a server side injection security vulnerability on the following product models:

*   RBK40, running firmware versions prior to 2.5.1.16
*   RBR40, running firmware versions prior to 2.5.1.16
*   RBS40, running firmware versions prior to 2.5.1.16
*   RBK20, running firmware versions prior to 2.5.1.16
*   RBR20, running firmware versions prior to 2.5.1.16
*   RBS20, running firmware versions prior to 2.5.1.16
*   RBK50, running firmware versions prior to 2.5.1.16
*   RBR50, running firmware versions prior to 2.5.1.16
*   RBS50, running firmware versions prior to 2.5.1.16
*   RBS50Y, running firmware versions prior to 2.6.1.40

NETGEAR strongly recommends that you download the latest firmware as soon as possible.

**To download the latest firmware for your NETGEAR product:**

1.  Visit NETGEAR Support.
2.  Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.  
     If you do not see a drop-down menu, make sure that you entered your model number correctly, or select a product category to browse for your product model.
3.  Click **Downloads**.
4.  Under **Current Versions**, select the download whose title begins with **Firmware Version**. 
5.  Click **Download**.
6.  Follow the instructions in your product’s user manual, firmware release notes, or product support page to install the new firmware.

**Disclaimer**

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. NETGEAR reserves the right to change or update this document at any time. NETGEAR expects to update this document as new information becomes available.

The server side injection vulnerability remains if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.

**Acknowledgements**

aircut

**Common Vulnerability Scoring System**

CVSS Rating: High

CVSS Score: 7.1

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

**Best Practices for Updating Firmware**

We recommend that you keep your NETGEAR devices up to date with the latest firmware. Firmware updates contain security fixes, bug fixes, and new features for your NETGEAR products. 

If your product is supported by one of our apps, using the app is the easiest way to update your firmware:

*   Orbi products: NETGEAR Orbi app
*   NETGEAR WiFi routers: NETGEAR Nighthawk app
*   Some NETGEAR Business products: NETGEAR Insight app (firmware updates through the app are available only for Insight subscribers)

If your product is not supported by one of our apps, you can always update your firmware manually by following the instructions in your product’s user manual, firmware release notes, or product support page. For more information, see Where can I find information about my NETGEAR product?.

**Contact**

We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.

It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.

To report a security vulnerability, visit http://www.netgear.com/about/security/. 

If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com. 

**Revision History**

2021-09-25: Published advisory

Last Updated:09/30/2021 | Article ID: 000064065

**Was this article helpful?**Yes No

**This article applies to:**

*   Orbi (10)
    *   RBK20
    *   RBK40
    *   RBK50
    *   RBR20
    *   RBR40
    *   RBR50
    *   RBS20
    *   RBS40
    *   RBS50
    *   RBS50Y

How to Find Your Model Number

**Looking for more about your product?**

Get information, documentation, videos and more for your specific product.

**Need to Contact Support?**

With NETGEAR’s round-the-clock premium support, help is just a phone call away.

**Complimentary Support**

NETGEAR provides complimentary technical support for NETGEAR products for 90 days from the original date of purchase.

Contact Support

**NETGEAR Premium Support**

**GearHead Support for Home Users**

GearHead Support is a technical support service for NETGEAR devices and all other connected devices in your home. Advanced remote support tools are used to fix issues on any of your devices. The service includes support for the following:

*   Desktop and Notebook PCs, Wired and Wireless Routers, Modems, Printers, Scanners, Fax Machines, USB devices and Sound Cards
*   Windows Operating Systems (2000, XP or Vista), MS Word, Excel, PowerPoint, Outlook and Adobe Acrobat
*   Anti-virus and Anti-Spyware: McAfee, Norton, AVG, eTrust and BitDefender

Learn More

**ProSUPPORT Services for Business Users**

NETGEAR ProSUPPORT services are available to supplement your technical support and warranty entitlements. NETGEAR offers a variety of ProSUPPORT services that allow you to access NETGEAR's expertise in a way that best meets your needs:

*   Product Installation
*   Professional Wireless Site Survey
*   Defective Drive Retention (DDR) Service

Learn More

CVE-2021-45661: Security Advisory for Server Side Injection on Some WiFi Systems, PSV-2019-0134 | Answer

Was this article helpful?   Yes     No

Associated CVE IDs: None 

First published: 2021-09-25

NETGEAR has released fixes for a server side injection security vulnerability on the following product models:

*   RBK40, running firmware versions prior to 2.5.1.16
*   RBR40, running firmware versions prior to 2.5.1.16
*   RBS40, running firmware versions prior to 2.5.1.16
*   RBK20, running firmware versions prior to 2.5.1.16
*   RBR20, running firmware versions prior to 2.5.1.16
*   RBS20, running firmware versions prior to 2.5.1.16
*   RBK50, running firmware versions prior to 2.5.1.16
*   RBR50, running firmware versions prior to 2.5.1.16
*   RBS50, running firmware versions prior to 2.5.1.16
*   RBS50Y, running firmware versions prior to 2.6.1.40

NETGEAR strongly recommends that you download the latest firmware as soon as possible.

**To download the latest firmware for your NETGEAR product:**

1.  Visit NETGEAR Support.
2.  Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.  
     If you do not see a drop-down menu, make sure that you entered your model number correctly, or select a product category to browse for your product model.
3.  Click **Downloads**.
4.  Under **Current Versions**, select the download whose title begins with **Firmware Version**. 
5.  Click **Download**.
6.  Follow the instructions in your product’s user manual, firmware release notes, or product support page to install the new firmware.

**Disclaimer**

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. NETGEAR reserves the right to change or update this document at any time. NETGEAR expects to update this document as new information becomes available.

The server side injection vulnerability remains if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.

**Acknowledgements**

aircut

**Common Vulnerability Scoring System**

CVSS Rating: High

CVSS Score: 7.1

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

**Best Practices for Updating Firmware**

We recommend that you keep your NETGEAR devices up to date with the latest firmware. Firmware updates contain security fixes, bug fixes, and new features for your NETGEAR products. 

If your product is supported by one of our apps, using the app is the easiest way to update your firmware:

*   Orbi products: NETGEAR Orbi app
*   NETGEAR WiFi routers: NETGEAR Nighthawk app
*   Some NETGEAR Business products: NETGEAR Insight app (firmware updates through the app are available only for Insight subscribers)

If your product is not supported by one of our apps, you can always update your firmware manually by following the instructions in your product’s user manual, firmware release notes, or product support page. For more information, see Where can I find information about my NETGEAR product?.

**Contact**

We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.

It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.

To report a security vulnerability, visit http://www.netgear.com/about/security/. 

If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com. 

**Revision History**

2021-09-25: Published advisory

Last Updated:09/30/2021 | Article ID: 000064064

**Was this article helpful?**Yes No

**This article applies to:**

*   Orbi (10)
    *   RBK20
    *   RBK40
    *   RBK50
    *   RBR20
    *   RBR40
    *   RBR50
    *   RBS20
    *   RBS40
    *   RBS50
    *   RBS50Y

How to Find Your Model Number

**Looking for more about your product?**

Get information, documentation, videos and more for your specific product.

**Need to Contact Support?**

With NETGEAR’s round-the-clock premium support, help is just a phone call away.

**Complimentary Support**

NETGEAR provides complimentary technical support for NETGEAR products for 90 days from the original date of purchase.

Contact Support

**NETGEAR Premium Support**

**GearHead Support for Home Users**

GearHead Support is a technical support service for NETGEAR devices and all other connected devices in your home. Advanced remote support tools are used to fix issues on any of your devices. The service includes support for the following:

*   Desktop and Notebook PCs, Wired and Wireless Routers, Modems, Printers, Scanners, Fax Machines, USB devices and Sound Cards
*   Windows Operating Systems (2000, XP or Vista), MS Word, Excel, PowerPoint, Outlook and Adobe Acrobat
*   Anti-virus and Anti-Spyware: McAfee, Norton, AVG, eTrust and BitDefender

Learn More

**ProSUPPORT Services for Business Users**

NETGEAR ProSUPPORT services are available to supplement your technical support and warranty entitlements. NETGEAR offers a variety of ProSUPPORT services that allow you to access NETGEAR's expertise in a way that best meets your needs:

*   Product Installation
*   Professional Wireless Site Survey
*   Defective Drive Retention (DDR) Service

Learn More

CVE-2021-45660: Security Advisory for Server Side Injection on Some WiFi Systems, PSV-2019-0133 | Answer

Certain NETGEAR devices are affected by stored XSS. This affects RAX200 before 1.0.5.126, RAX20 before 1.0.2.82, RAX80 before 1.0.5.126, RAX15 before 1.0.2.82, and RAX75 before 1.0.5.126.

Was this article helpful?   Yes     No

Associated CVE IDs: None

First published: 2021-12-20

NETGEAR has released fixes for a stored cross site scripting security vulnerability on the following product models:

*   RAX200, running firmware versions prior to 1.0.5.126
*   RAX20, running firmware versions prior to 1.0.2.82
*   RAX80, running firmware versions prior to 1.0.5.126
*   RAX15, running firmware versions prior to 1.0.2.82
*   RAX75, running firmware versions prior to 1.0.5.126

NETGEAR strongly recommends that you download the latest firmware as soon as possible.

**To download the latest firmware for your NETGEAR product:**

1.  Visit NETGEAR Support.
2.  Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.  
    If you do not see a drop-down menu, make sure that you entered your model number correctly, or select a product category to browse for your product model.
3.  Click **Downloads**.
4.  Under **Current Versions**, select the download whose title begins with **Firmware Version**.
5.  Click **Download**.
6.  Follow the instructions in your product’s user manual, firmware release notes, or product support page to install the new firmware.

**Disclaimer**

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. NETGEAR reserves the right to change or update this document at any time. NETGEAR expects to update this document as new information becomes available.

The stored cross site scripting vulnerability remains if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.

**Acknowledgements**

arunmagesh

**Common Vulnerability Scoring System**

CVSS Rating: Low

CVSS Score: 4.3

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

**Best Practices for Updating Firmware**

We recommend that you keep your NETGEAR devices up to date with the latest firmware. Firmware updates contain security fixes, bug fixes, and new features for your NETGEAR products.

If your product is supported by one of our apps, using the app is the easiest way to update your firmware:

*   Orbi products: NETGEAR Orbi app
*   NETGEAR WiFi routers: NETGEAR Nighthawk app
*   Some NETGEAR Business products: NETGEAR Insight app (firmware updates through the app are available only for Insight subscribers)

If your product is not supported by one of our apps, you can always update your firmware manually by following the instructions in your product’s user manual, firmware release notes, or product support page. For more information, see Where can I find information about my NETGEAR product?.

**Contact**

We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.

It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.

To report a security vulnerability, visit http://www.netgear.com/about/security/. 

If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com. 

**Revision History**

2021-12-20: Published advisory

Last Updated:12/20/2021 | Article ID: 000064462

**Was this article helpful?**Yes No

**This article applies to:**

*   Wireless AX Router Nighthawk (WiFi 6) (5)
    *   RAX15
    *   RAX20
    *   RAX200
    *   RAX75
    *   RAX80

How to Find Your Model Number

**Looking for more about your product?**

Get information, documentation, videos and more for your specific product.

**Need to Contact Support?**

With NETGEAR’s round-the-clock premium support, help is just a phone call away.

**Complimentary Support**

NETGEAR provides complimentary technical support for NETGEAR products for 90 days from the original date of purchase.

Contact Support

**NETGEAR Premium Support**

**GearHead Support for Home Users**

GearHead Support is a technical support service for NETGEAR devices and all other connected devices in your home. Advanced remote support tools are used to fix issues on any of your devices. The service includes support for the following:

*   Desktop and Notebook PCs, Wired and Wireless Routers, Modems, Printers, Scanners, Fax Machines, USB devices and Sound Cards
*   Windows Operating Systems (2000, XP or Vista), MS Word, Excel, PowerPoint, Outlook and Adobe Acrobat
*   Anti-virus and Anti-Spyware: McAfee, Norton, AVG, eTrust and BitDefender

Learn More

**ProSUPPORT Services for Business Users**

NETGEAR ProSUPPORT services are available to supplement your technical support and warranty entitlements. NETGEAR offers a variety of ProSUPPORT services that allow you to access NETGEAR's expertise in a way that best meets your needs:

*   Product Installation
*   Professional Wireless Site Survey
*   Defective Drive Retention (DDR) Service

Learn More

CVE-2021-45676: Security Advisory for Stored Cross Site Scripting on Some Routers, PSV-2020-0161 | Answer

Certain NETGEAR devices are affected by stored XSS. This affects R7000 before 1.0.11.110, R7900 before 1.0.4.30, R8000 before 1.0.4.62, RAX15 before 1.0.2.82, RAX20 before 1.0.2.82, RAX200 before 1.0.3.106, RAX75 before 1.0.3.106, and RAX80 before 1.0.3.106.

Was this article helpful?   Yes     No

Associated CVE IDs: None 

First published: 2021-09-26

NETGEAR has released fixes for a stored cross site scripting security vulnerability on the following product models:

*   R7000, running firmware versions prior to 1.0.11.110
*   R7900, running firmware versions prior to 1.0.4.30
*   R8000, running firmware versions prior to 1.0.4.62
*   RAX15, running firmware versions prior to 1.0.2.82
*   RAX20, running firmware versions prior to 1.0.2.82
*   RAX200, running firmware versions prior to 1.0.3.106
*   RAX75, running firmware versions prior to 1.0.3.106
*   RAX80, running firmware versions prior to 1.0.3.106

NETGEAR strongly recommends that you download the latest firmware as soon as possible.

**To download the latest firmware for your NETGEAR product:**

1.  Visit NETGEAR Support.
2.  Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.  
     If you do not see a drop-down menu, make sure that you entered your model number correctly, or select a product category to browse for your product model.
3.  Click **Downloads**.
4.  Under **Current Versions**, select the download whose title begins with **Firmware Version**. 
5.  Click **Download**.
6.  Follow the instructions in your product’s user manual, firmware release notes, or product support page to install the new firmware.

**Disclaimer**

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. NETGEAR reserves the right to change or update this document at any time. NETGEAR expects to update this document as new information becomes available.

The stored cross site scripting vulnerability remains if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.

**Acknowledgements**

MiniRocketTeam

**Common Vulnerability Scoring System**

CVSS Rating: Low

CVSS Score: 3.2

CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N

**Best Practices for Updating Firmware**

We recommend that you keep your NETGEAR devices up to date with the latest firmware. Firmware updates contain security fixes, bug fixes, and new features for your NETGEAR products. 

If your product is supported by one of our apps, using the app is the easiest way to update your firmware:

*   Orbi products: NETGEAR Orbi app
*   NETGEAR WiFi routers: NETGEAR Nighthawk app
*   Some NETGEAR Business products: NETGEAR Insight app (firmware updates through the app are available only for Insight subscribers)

If your product is not supported by one of our apps, you can always update your firmware manually by following the instructions in your product’s user manual, firmware release notes, or product support page. For more information, see Where can I find information about my NETGEAR product?.

**Contact**

We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.

It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.

To report a security vulnerability, visit http://www.netgear.com/about/security/. 

If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com. 

**Revision History**

2021-09-26: Published advisory

Last Updated:10/01/2021 | Article ID: 000064077

**Was this article helpful?**Yes No

**This article applies to:**

*   Wireless AX Router Nighthawk (WiFi 6) (5)
    *   RAX15
    *   RAX20
    *   RAX200
    *   RAX75
    *   RAX80
*   Wireless AC Router Nighthawk (3)
    *   R7000
    *   R7900
    *   R8000

How to Find Your Model Number

**Looking for more about your product?**

Get information, documentation, videos and more for your specific product.

**Need to Contact Support?**

With NETGEAR’s round-the-clock premium support, help is just a phone call away.

**Complimentary Support**

NETGEAR provides complimentary technical support for NETGEAR products for 90 days from the original date of purchase.

Contact Support

**NETGEAR Premium Support**

**GearHead Support for Home Users**

GearHead Support is a technical support service for NETGEAR devices and all other connected devices in your home. Advanced remote support tools are used to fix issues on any of your devices. The service includes support for the following:

*   Desktop and Notebook PCs, Wired and Wireless Routers, Modems, Printers, Scanners, Fax Machines, USB devices and Sound Cards
*   Windows Operating Systems (2000, XP or Vista), MS Word, Excel, PowerPoint, Outlook and Adobe Acrobat
*   Anti-virus and Anti-Spyware: McAfee, Norton, AVG, eTrust and BitDefender

Learn More

**ProSUPPORT Services for Business Users**

NETGEAR ProSUPPORT services are available to supplement your technical support and warranty entitlements. NETGEAR offers a variety of ProSUPPORT services that allow you to access NETGEAR's expertise in a way that best meets your needs:

*   Product Installation
*   Professional Wireless Site Survey
*   Defective Drive Retention (DDR) Service

Learn More

Search

outlook iniciare sesión