CVE-2021-45504

Vulnerability

An authentication bypass vulnerability exists in the firmware of certain NETGEAR WiFi system models. Affected versions include CBR40 before 2.5.0.24, CBR750 before 4.6.3.6, RBR852 before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 3.2.17.12 [1]. The vulnerability allows an attacker to bypass authentication mechanisms without valid credentials.

Exploitation

An attacker on the same adjacent network (e.g., within WiFi range) can exploit this vulnerability without any authentication or user interaction. The CVSS vector indicates low attack complexity and no privileges required [1]. The exact exploitation steps are not publicly disclosed, but the vulnerability can be triggered remotely over the network.

Impact

Successful exploitation grants the attacker full control over the affected device, leading to high confidentiality, integrity, and availability impact. The scope change in the CVSS vector indicates that the compromised component can affect resources beyond its original security boundary [1].

Mitigation

NETGEAR has released fixed firmware versions: CBR40 2.5.0.24, CBR750 4.6.3.6, RBR852 3.2.17.12, RBR850 3.2.17.12, and RBS850 3.2.17.12. Users should download and install the latest firmware from NETGEAR Support [1]. No workarounds are available; updating to the patched version is the only mitigation.