CVE-2021-20166
Description
A buffer overrun in Netgear RAX43 firmware 1.0.3.96 URL parsing allows unauthenticated attackers to bypass authentication and execute arbitrary CGI commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A buffer overrun in Netgear RAX43 firmware 1.0.3.96 URL parsing allows unauthenticated attackers to bypass authentication and execute arbitrary CGI commands.
Vulnerability
A buffer overrun vulnerability exists in the URL parsing functionality of the cgi-bin endpoint on Netgear Nighthawk RAX43 routers running firmware version 1.0.3.96. The parsing function expects a query string of up to 256 characters, but an erroneous strlcpy() call allows an attacker to overflow this buffer and overwrite a variable that controls the PATH_INFO value. This overwrite causes the router to execute a CGI binary specified by the attacker without proper authentication checks [1].
Exploitation
An attacker with network access to the router's LAN interface (adjacent network) can send a crafted POST request to the /cgi-bin/ endpoint. By providing an overly long query string, the attacker triggers the buffer overrun, setting the PATH_INFO variable to a desired CGI binary path. The request does not require any authentication or user interaction [1].
Impact
Successful exploitation allows the attacker to execute arbitrary CGI binaries on the router without authentication. This can lead to low-level compromise of confidentiality, integrity, and availability (CVSS 6.3). Notably, this authentication bypass can be chained with a separate command injection vulnerability in readycloud_control.cgi (CVE-2021-20167) to achieve root-level command execution [1].
Mitigation
As of the publication date (December 2021), Netgear has not released a firmware update to address this vulnerability. No workarounds are documented. Users should monitor Netgear's support page for future patches. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Netgear/RAX43description
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"An erroneous `strlcpy()` call in the URL parsing function allows a buffer overrun of a 256-byte query string array, causing the PATH_INFO variable to be set and bypassing authentication."
Attack vector
An unauthenticated attacker on the local network sends a crafted POST request to the router's "cgi-bin" endpoint with an overly long query string (256+ characters) followed by an API path such as "/api/users". The buffer overrun in the URL parsing function causes the PATH_INFO variable to be set, which makes the designated CGI binary execute without requiring authentication [ref_id=1]. This bypass then enables command injection via the unsanitized "name" parameter passed to a `system()` call in readycloud_control.cgi, allowing root-level command execution [ref_id=1].
Affected code
The vulnerability resides in the URL parsing function that handles POST requests to the "cgi-bin" endpoint on the router. The function uses a static 256-byte character array for the query string and an additional array for what debug output calls "PATH_INFO". An erroneous `strlcpy()` call in this parsing function allows the query string buffer to overflow, causing the PATH_INFO variable to be set to attacker-controlled data [ref_id=1].
What the fix does
The advisory does not provide a patch or specific remediation code. The recommended fix is to correct the erroneous `strlcpy()` call in the URL parsing function so that the query string buffer cannot overflow into the PATH_INFO variable, thereby preventing the authentication bypass. Additionally, the "name" parameter passed to `system()` in readycloud_control.cgi should be properly sanitized to prevent command injection [ref_id=1].
Preconditions
- networkAttacker must be on the local network (LAN) of the router
- authNo authentication required to trigger the buffer overrun
- configDefault router configuration is vulnerable; remote management via WAN also exploitable if enabled
- inputAttacker sends a crafted POST request with an overly long query string
Reproduction
Send the following POST request to the router's cgi-bin endpoint, using a query string of 256 or more '1' characters followed by "/api/users" and a JSON body containing a command injection payload in the "name" field:
``` POST /cgi-bin/readycloud_control.cgi?1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111/api/users HTTP/1.1 Content-Length: 49
"name":"';$(id > /tmp/id);'","email":"[email protected]" ```
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.tenable.com/security/research/tra-2021-55mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.