Is CVE-2016-6277 exploitable?

Yes — CVE-2016-6277 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, meaning it is confirmed exploited in the wild.

Is CVE-2016-6277 a false positive?

No practitioners have marked CVE-2016-6277 a false positive so far (2 verdicts).

How do I remediate CVE-2016-6277?

See the authoritative references (NVD, vendor advisory) and community field notes on this page for remediation guidance.

CVE-2016-6277

Cross-Site Request Forgery (CSRF) — is CVE-2016-6277real, exploitable, or a false positive? Here's the community ground truth.

☆ Watch

High · CVSS 8.8EPSS 99.8%CISA KEVCWE-352 · Cross-Site Request Forgery (CSRF)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000, and possibly other routers allow remote attackers to execute arbitrary commands via shell metacharacters in the path info to cgi-bin/.

References

NVD MITRE CVE.org CISA KEV

Published Dec 14, 2016

Embed this verdict

Markdown

[![TruePositive verdict](https://www.truepositive.app/cve/CVE-2016-6277/badge.svg)](https://www.truepositive.app/cve/CVE-2016-6277)

HTML

<a href="https://www.truepositive.app/cve/CVE-2016-6277"><img src="https://www.truepositive.app/cve/CVE-2016-6277/badge.svg" alt="TruePositive verdict for CVE-2016-6277"></a>

Live badge — updates automatically as the community verdict changes.

Community ground truth

Community verdict

2 verdicts

Not a real issue

to add your verdict.

Community real-world severity: High (High 2) — CVSS base score 8.8

In line with its CVSS base score.

Field notes & remediation

Verdicts are the quick signal — notes are the evidence and fixes behind them.

No notes yet — be the first to share what you saw or a fix that worked.