CVE-2020-14432

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in the web interface of certain NETGEAR WiFi system models. Affected devices include RBK752, RBK753, RBK753S, RBR750, RBS750, RBK842, RBR840, RBS840, RBK852, RBK853, RBR850, and RBS850 running firmware versions prior to 3.2.15.25. The bug allows an attacker to forge requests that are treated as legitimate by the device's web management interface, provided the target user is currently authenticated [1].

Exploitation

To exploit this vulnerability, an attacker must convince an authenticated administrator or user of the affected NETGEAR system to visit a specially crafted web page or click a malicious link. The attacker does not require network proximity or credentials; however, the victim must be logged into the device's web interface at the time of the attack. No additional user interaction beyond accessing the malicious page is necessary for the forged request to be processed [1].

Impact

Successful exploitation allows the attacker to perform actions on the affected device with the same privileges as the authenticated user. This could include changing device settings, modifying network configurations, or potentially initiating other unauthorized operations, leading to a compromise of confidentiality, integrity, or availability of the affected system [1].

Mitigation

NETGEAR strongly recommends updating the firmware to version 3.2.15.25 or later, which fixes the CSRF vulnerability. The fix is available for all listed models from the NETGEAR Support website. No workarounds have been provided; users should install the updated firmware as soon as possible [1].