The vulnerability was properly patched in at least one device that had previously been identified as affected — the Cisco WAP4410N wireless access point. A firmware update for that device causes the backdoor to listen only to the loopback address 127.0.0.1, meaning it can't be accessed remotely, according to the researcher.
The new mechanism for reactivating the backdoor might be present in other previously affected routers that received firmware patches for the vulnerability, but so far the researcher has only tested the update for the Netgear DGN1000.
"Sercomm is the manufacturer of the routers found vulnerable to the port 32764 backdoor," the researcher said. "It's almost certain that they introduced the backdoor and the new service to reactivate it."
Netgear is in the process of issuing firmware updates for products that contained the backdoor: DG834G, DG384B, DGN3500B, DGN2000B, DGND330Bv2, DM111Pv2, DM111PSPv2, JNR3210, DGN3500, DGN1000 v1, DGN1000 v2 and DGN1000B. Updates had already been released for the last four models.
"All but two — DM111PSPv2 and JNR3210 — of these products are no longer being manufactured," the company said in an emailed statement.
"We are currently working with our technology partner, Sercomm, to investigate the assertions that the firmware patch did not remove the vulnerability," the company said. "If we find that any issues exist, we will make the necessary firmware changes and update the installed base."
Sercomm did not immediately respond to a request for comment.
Sign up for Computerworld eNewsletters.