CVE-2020-26910

Vulnerability

A post-authentication command injection vulnerability exists in the web management interface of several NETGEAR WiFi system products. Affected models and firmware versions are: CBR40 before 2.5.0.10, RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.15.25, RBR850 before 3.2.15.25, and RBS850 before 3.2.15.25 [1]. The vulnerability is reachable only after an attacker has successfully authenticated to the device's administrative interface.

Exploitation

An attacker must first obtain valid administrative credentials for the affected NETGEAR device. With authenticated access, the attacker can send specially crafted HTTP requests to the vulnerable web management interface, injecting arbitrary operating system commands that are then executed on the device [1]. No additional privileges or user interaction beyond authentication are required.

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary commands on the underlying operating system with the privileges of the web server process (likely root). This can lead to full compromise of the device, including the ability to read, modify, or delete sensitive data, install malware, and pivot to other devices on the network [1].

Mitigation

NETGEAR has released firmware updates that fix this vulnerability for all affected models: CBR40 firmware version 2.5.0.10, and firmware version 3.2.15.25 for RBK752, RBR750, RBS750, RBK852, RBR850, and RBS850. Users should download and install the latest firmware from the NETGEAR Support website as soon as possible [1]. No workarounds are available; updating firmware is the only recommended mitigation.