CVE-2018-21225

Vulnerability

A post-authentication command injection vulnerability exists in the web interface of multiple NETGEAR routers and gateways. Affected models include D7000 (before 1.0.1.60), D7800 (before 1.0.1.34), D8500 (before 1.0.3.39), R6700 (before 1.0.1.30), R6700v2 (before 1.2.0.16), R6800 (before 1.2.0.16), R6900 (before 1.0.1.30), R6900P (before 1.2.0.22), R6900v2 (before 1.2.0.16), R7000 (before 1.0.9.12), R7000P (before 1.2.0.22), R7500v2 (before 1.0.3.20), R7800 (before 1.0.2.44), R8300 (before 1.0.2.106), R8500 (before 1.0.2.106), and R9000 (before 1.0.2.52). The vulnerability is triggered when an authenticated user sends specially crafted input to certain web interface parameters, leading to command injection [1].

Exploitation

An attacker must first obtain valid credentials for the device's web interface. Once authenticated, the attacker can send a crafted HTTP request containing malicious command injection payloads in specific parameters. The device's web server then executes these commands with root privileges. No additional user interaction is required beyond the initial authentication [1].

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary operating system commands on the device. This can lead to full compromise of the router or gateway, including data exfiltration, installation of malware, or use of the device in further attacks. The attacker gains root-level access to the device [1].

Mitigation

NETGEAR has released firmware updates for all affected models. Users should upgrade to the latest firmware versions as listed in the advisory [1]. For example, D7000 should be updated to 1.0.1.60 or later, R7000 to 1.0.9.12 or later, etc. No workarounds are provided; updating firmware is the recommended mitigation. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.