CVE-2020-26920

Vulnerability

A pre-authentication command injection vulnerability exists in the firmware of certain NETGEAR Orbi Pro WiFi system models. The flaw resides in the handling of network requests by the device's management interface, allowing an unauthenticated attacker to inject arbitrary operating system commands. Affected models are SRK60, SRR60, and SRS60 running firmware versions prior to 2.5.3.110 [1]. No authentication or special configuration is required to reach the vulnerable code path.

Exploitation

An attacker with network access to the affected device (adjacent network, as per CVSS vector) can send a specially crafted request to the device's management interface. No prior authentication or user interaction is needed. The attacker crafts a request containing malicious command payloads that are not properly sanitized, leading to command injection [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands with root privileges on the device. This results in full compromise of confidentiality, integrity, and availability (CVSS 8.8, High). The attacker can read sensitive data, modify device configuration, install malware, or disrupt network services [1].

Mitigation

NETGEAR has released firmware version 2.5.3.110 to address this vulnerability. Users should immediately update their devices to this version or later via the NETGEAR Support page. No workarounds are available; updating is the only mitigation [1].