CVE-2020-14442

Vulnerability

A pre-authentication command injection vulnerability exists in several NETGEAR Orbi WiFi system models. Affected devices include RBK752, RBK753, RBK753S, RBR750, RBS750, RBK842, RBR840, RBS840, RBK852, RBK853, RBR850, and RBS850 running firmware versions prior to 3.2.15.25. The injection occurs in an unspecified component reachable without prior authentication, allowing an attacker to supply crafted input that is executed as operating system commands by the device [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending specially crafted network requests to the affected device. No authentication or user interaction is required. The attacker only needs network access to the vulnerable device, which is typical for remote exploitation [1]. Specific steps and the exact input vector are not disclosed in the available references, but the issue is classified as a pre-authentication command injection, implying the vulnerable code path is accessible before login.

Impact

Successful exploitation enables an unauthenticated attacker to execute arbitrary commands on the underlying operating system with elevated privileges. This can lead to complete compromise of the device, including full information disclosure, modification of system settings, and potentially using the device as a pivot for further attacks on the network. The confidentiality, integrity, and availability of the device are all at risk [1].

Mitigation

NETGEAR has released firmware version 3.2.15.25 for all affected models to address this vulnerability [1]. Users are strongly advised to download and install the latest firmware from NETGEAR Support as soon as possible. No workarounds are provided; installing the patched firmware is the only mitigation. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog as of the publication date.