VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 25, 2021· Updated Aug 4, 2024

CVE-2021-37563

CVE-2021-37563

Description

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected Setup) protocol. (Affected Chipsets MT7603E, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915; Affected Software Versions 7.4.0.0; Out-of-bounds write).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Out-of-bounds write in MediaTek WPS implementation affects multiple chipsets, leading to potential remote code execution on NETGEAR and other devices.

Vulnerability

The vulnerability is an out-of-bounds write in the WPS (Wi-Fi Protected Setup) protocol handling within MediaTek microchips. Affected chipsets include MT7603E, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, with software version 7.4.0.0 [1]. This affects NETGEAR devices and other products using these chipsets [2].

Exploitation

An attacker within Wi-Fi range can exploit this by sending a specially crafted WPS frame to a vulnerable device. No authentication is required, and user interaction is not needed [1]. The out-of-bounds write occurs during processing of the malicious WPS message.

Impact

Successful exploitation could allow an attacker to execute arbitrary code or cause a denial of service. The impact is remote code execution with no privileges required, potentially leading to full compromise of the device [1][2].

Mitigation

MediaTek has released patches; device OEMs like NETGEAR have issued firmware updates. For NETGEAR, fixed versions are available for many extenders and access points (e.g., EAX11v2 firmware 1.0.3.34, WAX202 firmware 1.0.5.1) [2]. Users should update to the latest firmware. No workarounds are available [2].

References
  1. January 2022
  2. Security Advisory for WiFi WPS and IEEE-1905 Vulnerabilities on Multiple Products, PSV-2021-0298 & PSV-2021-0300

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.