CVE-2018-21146

Vulnerability

A post-authentication command injection vulnerability exists in the web management interface of several NETGEAR devices. Affected models and their vulnerable firmware versions are: D7800 before 1.0.1.34, R7800 before 1.0.2.42, R8900 before 1.0.3.10, R9000 before 1.0.3.10, WNDR4300v2 before 1.0.0.54, and WNDR4500v3 before 1.0.0.54 [1]. The vulnerability allows an attacker who has already authenticated to the device to inject operating system commands through a vulnerable input parameter.

Exploitation

An attacker must first obtain valid administrator credentials for the affected device. With those credentials, the attacker can send a crafted HTTP request to the web management interface that includes malicious command payloads. No user interaction beyond the attacker's own actions is required, and the only requirement is network access to the device's management interface [1].

Impact

Successful exploitation enables the attacker to execute arbitrary operating system commands on the device with root privileges. This can lead to full compromise of the device, including unauthorized access to network traffic, modification of device configuration, denial of service, and potential pivot attacks to other internal network hosts [1].

Mitigation

NETGEAR has released fixed firmware versions for all affected models: D7800 1.0.1.34, R7800 1.0.2.42, R8900 1.0.3.10, R9000 1.0.3.10, WNDR4300v2 1.0.0.54, and WNDR4500v3 1.0.0.54 [1]. Users should update to the latest firmware immediately. There is no known workaround for this vulnerability beyond applying the patch [1].