Unrated severityNVD Advisory· Published Jun 18, 2020· Updated Aug 4, 2024

CVE-2020-14434

Description

Certain NETGEAR devices are affected by command injection by an authenticated user. This affects RBK752 before 3.2.15.25, RBK753 before 3.2.15.25, RBK753S before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.15.25, RBK853 before 3.2.15.25, RBR850 before 3.2.15.25, RBS850 before 3.2.15.25, RBK842 before 3.2.15.25, RBR840 before 3.2.15.25, and RBS840 before 3.2.15.25.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated command injection in multiple NETGEAR Orbi WiFi systems fixed in firmware version 3.2.15.25.

Vulnerability

A post-authentication command injection vulnerability exists in the web management interface of several NETGEAR Orbi WiFi system models. Affected devices running firmware versions prior to 3.2.15.25 include: RBK752, RBK753, RBK753S, RBR750, RBS750, RBK852, RBK853, RBR850, RBS850, RBK842, RBR840, and RBS840 [1]. The flaw allows an authenticated user to inject arbitrary operating system commands through a vulnerable input field or parameter.

Exploitation

An attacker must first have valid credentials to log into the device's web interface. After authentication, the attacker sends crafted HTTP requests containing malicious command syntax to the vulnerable endpoint. No additional privileges or network access beyond the authenticated session are required [1].

Impact

Successful exploitation enables an authenticated attacker to execute arbitrary commands on the underlying operating system with the privileges of the web server process. This can lead to full compromise of the device, including unauthorized access to network traffic, modification of device settings, and potential pivot to other devices on the network [1].

Mitigation

NETGEAR released fixed firmware version 3.2.15.25 to address this vulnerability. Users should upgrade their devices to the latest firmware available from the NETGEAR Support website. No workarounds have been provided; updating firmware is the only recommended mitigation [1].

References

Security Advisory for Post-Authentication Command Injection on Some WiFi Systems, PSV-2020-0040

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

NETGEAR/devicesdescription
Netgear/RBK752llm-fuzzy
Range: <3.2.15.25
Netgear/RBK852llm-fuzzy
Range: <3.2.15.25
Netgear/RBK753llm-fuzzy
Range: <3.2.15.25

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

kb.netgear.com/000061934/Security-Advisory-for-Post-Authentication-Command-Injection-on-Some-WiFi-Systems-PSV-2020-0040mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000