CVE-2018-21140

Vulnerability

A security misconfiguration exists in NETGEAR D3600 and D6000 modem routers running firmware versions prior to 1.0.0.76 [1]. The advisory describes an incorrect configuration of security settings that could lead to serious consequences [1]. The vulnerability requires no special conditions beyond being on the local network and having default configuration settings.

Exploitation

An attacker with network adjacency (i.e., within the same local network) can exploit this misconfiguration without any authentication or user interaction [1]. The advisory does not detail the specific exploitation steps, but the high CVSS vector (AV:A/AC:L/PR:N/UI:N) indicates a low-complexity attack path [1].

Impact

Successful exploitation enables an attacker to achieve high impact on confidentiality, integrity, and availability, potentially leading to arbitrary code execution or denial of service [1]. The attacker gains the same level of privileges as the affected device's firmware, with no requirement for prior authentication.

Mitigation

NETGEAR released firmware version 1.0.0.76 for both D3600 and D6000 to fix the security misconfiguration [1]. Users should update to this version immediately via the NETGEAR Support page [1]. No workarounds are mentioned; the only mitigation is applying the patch.