The following routers are vulnerable as below. New firmware has been released for some of the models and is available from here: http://kb.netgear.com/000036386/CVE-2016-582384
Netgear R7000, firmware version 18.104.22.168_1.1.93 and possibly earlier, R6400, firmware version 22.214.171.124_1.0.11 and possibly earlier, and R8000, firmware version 126.96.36.199_1.1.2 and possibly earlier, contain an arbitrary command injection vulnerability.
By convincing a user to visit a specially crafted web site, a remote, unauthenticated attacker may execute arbitrary commands with root privileges on affected routers. An unauthenticated, LAN-based attacker may do the same by issuing a direct request, e.g. by visiting:
An exploit demonstrating these vulnerabilities has been publicly disclosed.
Netgear’s advisory confirms that the R6200, R6400, R6700, R7000, R7100LG, R7300, R7900, and R8000 are vulnerable, though affected firmware versions are not enumerated. The vendor has indicated that their advisory will be updated as firmware updates are released.