CVE-2019-20732

Vulnerability

CVE-2019-20732 is a post-authentication command injection vulnerability affecting a wide range of NETGEAR devices. The flaw resides in the web management interface of the firmware, where insufficient input validation allows an attacker with valid credentials to inject arbitrary operating system commands. The affected products and their vulnerable firmware versions are: D6220 before 1.0.0.40, D7000v2 before 1.0.0.74, D8500 before 1.0.3.39, DGN2200v4 before 1.0.0.102, DGND2200Bv4 before 1.0.0.102, EX3700 before 1.0.0.70, EX3800 before 1.0.0.70, EX6000 before 1.0.0.30, EX6100 before 1.0.2.22, EX6120 before 1.0.0.40, EX6130 before 1.0.0.22, EX6150v1 before 1.0.0.42, EX6200 before 1.0.3.88, EX7000 before 1.0.0.66, R6250 before 1.0.4.20, R6300v2 before 1.0.4.24, R6400 before 1.0.1.32, R6400v2 before 1.0.2.44, R6700 before 1.0.1.46, R6900 before 1.0.1.46, R7000 before 1.0.9.26, R6900P before 1.3.0.20, R7000P before 1.3.0.20, R7100LG before 1.0.0.40, R7300DST before 1.0.0.62, R7900 before 1.0.2.10, R8000 before 1.0.4.12, R7900P before 1.3.0.10, R8000P before 1.3.0.10, R8300 before 1.0.2.106, R8500 before 1.0.2.106, WN2500RPv2 before 1.0.1.54, WNDR3400v3 before 1.0.1.18, and WNR3500Lv2 before 1.2.0.48 [1].

Exploitation

Exploitation requires the attacker to first authenticate to the device's web interface with a valid administrator or user account. Once authenticated, the attacker can craft a specially crafted HTTP request that includes malicious command injection payloads in parameters that are improperly sanitized. The attacker then sends this request to the vulnerable endpoint, and the device's firmware executes the injected commands with the privileges of the web server process, typically running as root. No user interaction is required beyond the initial authentication. The attacker must have network access to the management interface, which is typically accessible from the local LAN but may also be accessible from the WAN if remote management is enabled [1].

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary operating system commands on the affected device with root privileges. This can lead to complete compromise of the device, including full control over its networking functions, the ability to intercept or redirect traffic, install persistent malware, exfiltrate sensitive data, or use the device as a pivot point for further attacks on the local network. The impact fully compromises confidentiality, integrity, and availability of the device and potentially the network [1].

Mitigation

NETGEAR has released firmware updates to fix this vulnerability. Affected users should upgrade their devices to the latest firmware version as listed in the advisory. For example, the R7000 should be updated to firmware version 1.0.9.26 or later, and the R8000 to 1.0.4.12 or later [1]. Users should ensure remote management is disabled if not required, and use strong, unique passwords for device administration. There is no mention of this CVE being listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.