CVE-2021-20167
Description
Netgear RAX43 firmware 1.0.3.96 has an unauthenticated command injection in readycloud_control.cgi's name parameter, enabling root-level RCE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Netgear RAX43 firmware 1.0.3.96 has an unauthenticated command injection in readycloud_control.cgi's name parameter, enabling root-level RCE.
Vulnerability
CVE-2021-20167 is a command injection vulnerability in the readycloud_control.cgi binary of Netgear Nighthawk RAX43 routers running firmware version 1.0.3.96. When the /api/users endpoint is accessed, the name parameter is passed unsanitized into a system() call, allowing arbitrary command execution. The vulnerability is reachable without authentication due to a separate buffer overrun bug (CVE-2021-20166) in the URL parsing of POST requests to the /cgi-bin/ endpoint, which bypasses authentication checks [1]. All default configurations are affected, including devices with remote management enabled over WAN.
Exploitation
An attacker with LAN access (or WAN access if remote management is enabled) can exploit this by sending a crafted POST request to http:///cgi-bin/readycloud_control.cgi?/api/users with a malicious name parameter containing shell metacharacters. The buffer overrun in the URL parser (CVE-2021-20166) causes the request to be processed without authentication, and the injected commands are executed as root via the system() call [1]. No user interaction or prior authentication is required.
Impact
Successful exploitation grants the attacker a root shell on the router, leading to full compromise of the device. This includes the ability to read and modify network traffic, install persistent malware, pivot to internal networks, and disrupt device functionality. The impact is high due to the privileged execution context and the lack of authentication required [1].
Mitigation
At the time of publication (December 2021), no official firmware patch was available from Netgear. Users are advised to disable remote management, restrict LAN access to trusted devices, and monitor for firmware updates. The Tenable research advisory (TRA-2021-55) recommends applying any future updates promptly [1]. If the device is no longer supported, replacement with a supported model is recommended.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Netgear/RAX43description
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the readycloud_control.cgi binary allows the "name" parameter to be passed directly into a system() call, enabling command injection."
Attack vector
An attacker sends a crafted POST request to the router's LAN interface targeting the cgi-bin endpoint. The request uses a long query string of '1' characters (256+ characters) to overflow a buffer in the URL parsing function, which bypasses authentication and causes the readycloud_control.cgi binary to execute without credentials [ref_id=1]. The "name" parameter in the JSON body is then passed unsanitized into a system() call, allowing arbitrary command injection as root [ref_id=1]. The attack requires network access to the LAN interface; remote management via WAN also exposes the device if enabled.
Affected code
The readycloud_control.cgi binary is the vulnerable component. The "name" parameter passed to the "/api/users" API endpoint is the specific input that is unsanitized before being used in a system() call [ref_id=1].
What the fix does
The advisory does not provide a patch or remediation from Netgear. The researcher recommends that input to the "name" parameter be properly sanitized before being passed to a system() call, and that the buffer overrun in the URL parsing function be fixed to prevent authentication bypass [ref_id=1]. No official firmware update addressing these issues is mentioned in the advisory.
Preconditions
- networkAttacker must have network access to the router's LAN interface (or WAN if remote management is enabled)
- authNo authentication required due to the buffer-overrun authentication bypass bug
- configDefault configuration is vulnerable; readycloud functionality does not need to be explicitly enabled
Reproduction
Send the following POST request to the router's LAN IP:
``` POST /cgi-bin/readycloud_control.cgi?1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111/api/users HTTP/1.1 Content-Length: 49
"name":"';$(id > /tmp/id);'","email":"[email protected]" ```
The long query string of '1' characters triggers the authentication bypass buffer overrun, and the injected command in the "name" parameter executes as root [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.tenable.com/security/research/tra-2021-55mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.