CVE-2021-38533

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in NETGEAR RAX40 routers running firmware versions prior to 1.0.3.64, as detailed in the security advisory [1]. The vulnerability allows an attacker to inject malicious scripts that are permanently stored on the device, which are later executed in the context of an authenticated admin's browser session. Affected model: RAX40 with firmware earlier than 1.0.3.64 [1].

Exploitation

An attacker must have valid administrative credentials to the router's web interface (privilege level: Low) and be on the same local network (adjacent) to exploit this vulnerability [1]. The attacker injects a malicious payload into a persistent storage field (e.g., configuration settings), which is then rendered and executed when another admin accesses the affected page. No user interaction beyond normal admin activity is required for the stored payload to trigger [1].

Impact

Successful exploitation leads to stored XSS with impacts on confidentiality and integrity: the attacker can execute arbitrary JavaScript in the admin's browser session, potentially performing actions on the router as the logged-in admin, stealing session tokens, or modifying router settings. The CVSS v3 score is 5.4 (Low), with a vector of AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating low impact to confidentiality and integrity, no impact to availability, and a scope change [1].

Mitigation

NETGEAR released firmware version 1.0.3.64 to fix this vulnerability [1]. Users are strongly advised to download and install the latest firmware from NETGEAR Support. The advisory states the vulnerability is addressed in that version, and no workarounds are provided for unpatched devices [1].