CVE-2020-14437

Vulnerability

A pre-authentication command injection vulnerability exists in the firmware of several NETGEAR Orbi WiFi system models. The flaw allows an unauthenticated attacker to inject arbitrary operating system commands through a vulnerable endpoint exposed by the device. Affected models include RBK752, RBK753, RBK753S, RBR750, RBS750, RBK842, RBR840, RBS840, RBK852, RBK853, RBR850, and RBS850 running firmware versions prior to 3.2.15.25 [1]. No authentication is required to reach the vulnerable code path.

Exploitation

An attacker with network access to the affected device can exploit this vulnerability by sending a specially crafted request to the vulnerable service. No prior authentication or user interaction is required. The exact attack vector is not publicly detailed, but the advisory confirms that the injection occurs before any authentication check [1].

Impact

Successful exploitation grants the attacker the ability to execute arbitrary commands with root-level privileges on the device. This can lead to full compromise of the WiFi system, including data exfiltration, installation of malware, and potential use as a pivot point for further attacks on the local network.

Mitigation

NETGEAR has released firmware version 3.2.15.25 to address this vulnerability for all affected models [1]. Users are strongly advised to download and install the latest firmware from NETGEAR Support. No workarounds are provided, and the vulnerability remains exploitable if the firmware is not updated. There is no indication that this CVE is listed in the Known Exploited Vulnerabilities (KEV) catalog.