CVE-2017-18734
Description
Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects JNR1010v2 before 1.1.0.44, JR6150 before 1.0.1.10, JWNR2010v5 before 1.1.0.44, PR2000 before 1.0.0.18, R6050 before 1.0.1.10, R6220 before 1.1.0.50, R6700v2 before 1.2.0.4, R6800 before 1.2.0.4, R6900v2 before 1.2.0.4, WNDR3700v5 before 1.1.0.48, WNR1000v4 before 1.1.0.44, WNR2020 before 1.1.0.44, and WNR2050 before 1.1.0.44.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NETGEAR routers and extenders are vulnerable to pre-authentication command injection, allowing an unauthenticated attacker to execute arbitrary commands.
Vulnerability
A pre-authentication command injection vulnerability exists in certain NETGEAR devices, allowing an unauthenticated attacker to inject arbitrary commands [1]. The affected products include JNR1010v2 before 1.1.0.44, JR6150 before 1.0.1.10, JWNR2010v5 before 1.1.0.44, PR2000 before 1.0.0.18, R6050 before 1.0.1.10, R6220 before 1.1.0.50, R6700v2 before 1.2.0.4, R6800 before 1.2.0.4, R6900v2 before 1.2.0.4, WNDR3700v5 before 1.1.0.48, WNR1000v4 before 1.1.0.44, WNR2020 before 1.1.0.44, and WNR2050 before 1.1.0.44 [1]. The vulnerability is present in the firmware and can be triggered without authentication.
Exploitation
An attacker can exploit this vulnerability without any prior authentication [1]. The attacker needs network access to the affected device, as the CVSS vector indicates the attack vector is adjacent network (AV:A) [1]. Exploitation does not require user interaction or any special privileges [1]. The exact attack vector and sequence of steps are not detailed in the available references, but the pre-authentication nature implies the vulnerability is reachable through network services exposed by the device.
Impact
Successful exploitation grants an attacker the ability to execute arbitrary commands on the device [1]. The CVSS v3 score of 8.8 indicates a high severity, with impact on confidentiality, integrity, and availability all rated as high [1]. This could allow an attacker to fully compromise the affected device, potentially leading to unauthorized access, data exfiltration, or use of the device as a foothold in the network.
Mitigation
NETGEAR has released firmware fixes for all affected models [1]. The fixed versions are: JNR1010v2 1.1.0.44, JR6150 1.0.1.10, JWNR2010v5 1.1.0.44, PR2000 1.0.0.18, R6050 1.0.1.10, R6220 1.1.0.50, R6700v2 1.2.0.4, R6800 1.2.0.4, R6900v2 1.2.0.4, WNDR3700v5 1.1.0.48, WNR1000v4 1.1.0.44, WNR2020 1.1.0.44, and WNR2050 1.1.0.44 [1]. Users are strongly recommended to upgrade to the latest firmware as soon as possible [1]. No workarounds are provided; updating firmware is the only mitigation.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
14- NETGEAR/devicesdescription
- Range: <1.1.0.44
- Range: <1.1.0.48
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.