CVE-2021-45537

Vulnerability

A post-authentication command injection vulnerability exists in the web interfaces of multiple NETGEAR routers and WiFi systems. Affected models include RAX200, RAX75, and RAX80 running firmware versions prior to 1.0.3.106, as well as RBK752, RBR750, RBS750, RBK852, RBR850, and RBS850 running firmware versions prior to 3.2.16.6. The vulnerability stems from improper sanitization of user-supplied input in a management endpoint, allowing an authenticated user to inject operating system commands.

Exploitation

An attacker must first authenticate to the device's web-based management interface using valid credentials. Once authenticated, the attacker can send specially crafted HTTP requests to the vulnerable endpoint to achieve command injection. No additional network access or user interaction beyond the attacker's own session is required.

Impact

Successful exploitation enables the attacker to execute arbitrary commands on the device's operating system with root privileges. This can lead to full disclosure of sensitive information, modification of device settings, denial of service, or use of the compromised device as a pivot point for further attacks against other network resources.

Mitigation

NETGEAR has released fixed firmware versions to address this vulnerability: 1.0.3.106 for the RAX200, RAX75, and RAX80 series, and 3.2.16.6 for the RBK752/RBR750/RBS750 and RBK852/RBR850/RBS850 series. Users should download and install the latest firmware from the NETGEAR Support page as soon as possible [1]. No workarounds are available. Patched firmware has been available since September 2021.