Unrated severityNVD Advisory· Published Oct 9, 2020· Updated Aug 4, 2024

CVE-2020-26907

Description

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects RBK852 before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before 3.2.16.6.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A critical pre-authentication command injection vulnerability in NETGEAR Orbi Wi-Fi systems (RBK852, RBR850, RBS850) allows unauthenticated, adjacent attackers to execute arbitrary commands.

Vulnerability

A command injection flaw exists in the NETGEAR Orbi Wi-Fi system models RBK852, RBR850, and RBS850 running firmware versions prior to 3.2.16.6. An unauthenticated attacker can inject arbitrary operating system commands through a vulnerable endpoint, without needing any prior authentication. The vulnerability is reachable over the local network, making it exploitable pre-authentication [1].

Exploitation

An attacker must be on the same local network (adjacent access) as the affected device. No authentication or user interaction is required. The attacker sends crafted network requests to a vulnerable service, injecting commands that are then executed by the system. The CVSS vector (AV:A/AC:L/PR:N/UI:N) indicates a low attack complexity and no privileges needed [1].

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary commands with root-level privileges on the device. This can lead to full compromise of confidentiality, integrity, and availability, including data theft, device manipulation, or adding the device to a botnet. The impact is high across all CIA dimensions, with a CVSS score of 9.6 (Critical) [1].

Mitigation

NETGEAR released fixed firmware version 3.2.16.6 for RBK852, RBR850, and RBS850. Users are strongly advised to upgrade to this version or later via the NETGEAR Support downloads page. No workarounds are documented. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of publication [1].

References

Security Advisory for Pre-Authentication Command Injection on Some WiFi Systems, PSV-2020-0264

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

NETGEAR/NETGEAR devicesdescription
Netgear/RBK852llm-fuzzy
Range: <3.2.16.6
Netgear/RBR850llm-fuzzy
Range: <3.2.16.6
Netgear/RBS850llm-fuzzy
Range: <3.2.16.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

kb.netgear.com/000062347/Security-Advisory-for-Pre-Authentication-Command-Injection-on-Some-WiFi-Systems-PSV-2020-0264mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000