CVE-2018-21208

Vulnerability

A pre-authentication command injection vulnerability exists in the web interfaces of multiple NETGEAR devices. This flaw resides in the handling of unsanitized user input before authentication is established. Affected models include D6100 before firmware version 1.0.0.57, R6100 before 1.0.1.20, R7500v2 before 1.0.3.24, WNDR4300v2 before 1.0.0.50, and WNDR4500v3 before 1.0.0.50 [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable device. The attacker does not need to be on the local network, as the CVSS vector indicates an adjacent network attack vector (AV:A), meaning the attacker must be within the same broadcast or collision domain (e.g., Wi-Fi range). No authentication or user interaction is required. The attack can be carried out by injecting command sequences into parameter values that are passed to a system shell without proper sanitization [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands with root-level privileges on the device. This leads to complete compromise of confidentiality, integrity, and availability (CIA), enabling actions such as reading sensitive data, modifying device configuration, installing malware, or launching further attacks on the network. The CVSSv3 score is 8.8 (High) with a vector of AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [1].

Mitigation

NETGEAR has released fixed firmware versions for all affected models. Users should update to the latest firmware as follows: D6100 to 1.0.0.57, R6100 to 1.0.1.20, R7500v2 to 1.0.3.24, WNDR4300v2 to 1.0.0.50, and WNDR4500v3 to 1.0.0.50. Firmware can be downloaded from NETGEAR Support. No workaround is available other than applying the update. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of publication [1].