Unrated severityNVD Advisory· Published Oct 9, 2020· Updated Aug 4, 2024

CVE-2020-26902

Description

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.15.25, RBR850 before 3.2.15.25, and RBS850 before 3.2.15.25.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A pre-authentication command injection vulnerability in NETGEAR WiFi systems allows an unauthenticated attacker to execute arbitrary commands via the web interface.

Vulnerability

A pre-authentication command injection vulnerability exists in certain NETGEAR WiFi system models. The flaw affects the following devices running firmware versions prior to 3.2.15.25: RBK752, RBR750, RBS750, RBK852, RBR850, and RBS850. An unauthenticated attacker can exploit this vulnerability to inject arbitrary commands through the web interface without requiring any authentication [1].

Exploitation

An attacker needs network adjacency to the affected device (CVSS attack vector: Adjacent). No authentication or user interaction is required. The exploit can be carried out by sending specially crafted HTTP requests to the device's management interface, leading to command injection with the privileges of the web server [1].

Impact

Successful exploitation results in arbitrary command execution on the device. The CVSS v3 score is 9.6 (Critical), with high impact on confidentiality and integrity, and low impact on availability. The scope is changed, meaning the attacker can affect resources beyond the vulnerable component [1].

Mitigation

NETGEAR has released firmware version 3.2.15.25 to fix this vulnerability for all affected models. Users should download and install the latest firmware from NETGEAR Support immediately. There are no known workarounds [1].

References

Security Advisory for Pre-Authentication Command Injection on Some WiFi Systems, PSV-2020-0041

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

NETGEAR/NETGEAR devicesdescription
Netgear/RBK752llm-fuzzy
Range: <3.2.15.25
Netgear/RBR750llm-fuzzy
Range: <3.2.15.25
Netgear/RBS750llm-fuzzy
Range: <3.2.15.25

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

kb.netgear.com/000062352/Security-Advisory-for-Pre-Authentication-Command-Injection-on-Some-WiFi-Systems-PSV-2020-0041mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000