CVE-2021-20170
Description
Netgear RAX43 firmware 1.0.3.96 uses a hardcoded backup password, letting an attacker modify and restore encrypted config files to alter restricted settings.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Netgear RAX43 firmware 1.0.3.96 uses a hardcoded backup password, letting an attacker modify and restore encrypted config files to alter restricted settings.
Vulnerability
Netgear RAX43 firmware version 1.0.3.96 stores configuration backups as password-protected zip files using a hardcoded password (RAX50w!a4udk). The backup mechanism is meant to prevent normal users from manipulating sensitive settings because the zip is encrypted; however, the password is fixed and known, allowing anyone to extract, modify, and repack the configuration archive [1].
Exploitation
An attacker needs a copy of the encrypted backup (the router's configuration file) and knowledge of the hardcoded password. The attacker can unzip the archive with the known password, alter the configuration contents (for example, enabling remote management or changing firewall rules), re-zip the file using the same password, and then restore this modified backup to the router via the web interface. No authentication is required to perform the restore operation once the backup file is obtained [1].
Impact
Successful exploitation allows an attacker to change router settings that were intended to be restricted or encrypted, potentially leading to unauthorized remote access, weakened security controls, or other persistent configuration changes. The impact is limited to settings available in the backup, but could be combined with other vulnerabilities for escalated effects [1].
Mitigation
Netgear has not released a firmware update to address this issue as of the publication date. The affected version is 1.0.3.96; users should monitor vendor advisories for a patched release. No workaround is available other than restricting physical and network access to the device [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Netgear/RAX43description
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Configuration backup encryption uses a hardcoded password, allowing any user who can download the backup to decrypt, modify, and re-encrypt it."
Attack vector
An attacker with local network access and valid low-privilege credentials can download an encrypted configuration backup from the device. The backup is a password-protected zip file whose password is hardcoded as "RAX50w!a4udk" [ref_id=1]. By unzipping the configuration with this known password, the attacker can modify settings that are not intended to be user-manipulable, re-zip the archive, and restore the tampered backup to the device, causing those settings to be changed [ref_id=1].
Affected code
The advisory does not specify exact file paths or functions. The vulnerability lies in the configuration backup/restore mechanism, which uses a password-protected zip file with a hardcoded password (RAX50w!a4udk) [ref_id=1].
What the fix does
The advisory does not include a patch or vendor remediation. To close this vulnerability, Netgear should stop using a hardcoded password for configuration backup encryption and instead derive a unique encryption key from the device's admin password or a per-device secret [ref_id=1]. Without such a change, any user who can download a backup can decrypt and tamper with it.
Preconditions
- networkAttacker must have local network access to the device (AV:A per CVSS)
- authAttacker must have valid low-privilege credentials to download the configuration backup
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.tenable.com/security/research/tra-2021-55mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.