CVE-2017-18863

Vulnerability

CVE-2017-18863 is a command injection vulnerability affecting multiple NETGEAR wireless access points. The flaw resides in insecure PHP forms that fail to properly validate user input, allowing an attacker to inject arbitrary operating system commands. Affected models and firmware versions include WN604 (3.3.3 and earlier), WNAP210v2 (3.5.20.0 and earlier), WNAP320 (3.5.20.0 and earlier), WNDAP350 (3.5.20.0 and earlier), WNDAP360 (3.5.20.0 and earlier), WNDAP620 (2.0.11 and earlier), WNDAP660 (3.5.20.0 and earlier), WND930 (2.0.11 and earlier), and WAC120 (2.0.7 and earlier) [1].

Exploitation

The vulnerability can be exploited by a local attacker who sends crafted commands through the insecure PHP forms. Additionally, cross-site request forgery (CSRF) and cross-site scripting (XSS) can be leveraged to trigger the same command execution remotely, broadening the attack surface [1]. No special privileges beyond network access to the management interface are required for the local attack vector, while remote exploitation may rely on tricking an authenticated administrator into visiting a malicious page.

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the affected device and obtain read and write access to its file system. This results in full compromise of the access point's confidentiality, integrity, and availability, including the ability to modify configuration, exfiltrate data, or disrupt network operations [1].

Mitigation

NETGEAR has released firmware fixes for all affected products that properly validate PHP form input and resolve the command injection and file system corruption vulnerabilities. Users are strongly advised to upgrade to the latest available firmware for their respective models [1]. No workarounds are documented; applying the vendor firmware update is the only mitigation.