CVE-2020-26899

Vulnerability

Certain NETGEAR WiFi system models are affected by a sensitive information disclosure vulnerability. The affected models with vulnerable firmware versions are: CBR40 before 2.5.0.10, RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.10.11, RBR850 before 3.2.10.11, and RBS850 before 3.2.10.11 [1]. The vulnerability resides in the firmware and can be exploited without specific configuration requirements.

Exploitation

The advisory [1] does not provide specific exploitation steps. However, given the CVSS score of 9.6 (Critical), the vulnerability is likely remotely exploitable without authentication. Further technical details are not publicly available in the disclosed reference.

Impact

Successful exploitation could lead to disclosure of sensitive information from the affected device. This may compromise the confidentiality of device settings, network configuration, or other privileged data, potentially allowing an attacker to further compromise the network.

Mitigation

NETGEAR has released firmware updates to address this vulnerability. Users should update to the following versions: CBR40 to 2.5.0.10 or later, RBK752/RBR750/RBS750 to 3.2.15.25 or later, and RBK852/RBR850/RBS850 to 3.2.10.11 or later [1]. The advisory provides instructions for downloading and installing the firmware. No workaround is available; applying the update is the only mitigation.