CVE-2021-45541

Vulnerability

A post-authentication command injection vulnerability exists in the web interface of multiple NETGEAR routers and WiFi systems. An authenticated user can inject arbitrary operating system commands through a crafted request. Affected models and firmware versions include: R7900 before 1.0.4.38, R7900P before 1.4.2.84, R8000 before 1.0.4.68, R8000P before 1.4.2.84, RAX200 before 1.0.3.106, MR60 before 1.0.6.110, RAX45 before 1.0.2.72, RAX80 before 1.0.3.106, MS60 before 1.0.6.110, RAX50 before 1.0.2.72, RAX75 before 1.0.3.106, RBR750 before 3.2.16.6, RBR850 before 3.2.16.6, RBS750 before 3.2.16.6, RBS850 before 3.2.16.6, RBK752 before 3.2.16.6, and RBK852 before 3.2.16.6 [1].

Exploitation

An attacker must first obtain valid credentials for the device's administrative web interface. Once authenticated, the attacker can send a specially crafted HTTP request to the vulnerable endpoint, injecting arbitrary commands. No additional user interaction is required beyond the initial authentication [1].

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands with root privileges on the affected device. This can lead to full compromise of the device, including data exfiltration, installation of malware, or use of the device as a pivot point for further network attacks [1].

Mitigation

NETGEAR has released fixed firmware versions for all affected models. Users should update to the latest firmware as soon as possible. The fixed versions are: R7900 1.0.4.38, R7900P 1.4.2.84, R8000 1.0.4.68, R8000P 1.4.2.84, RAX200 1.0.3.106, MR60 1.0.6.110, RAX45 1.0.2.72, RAX80 1.0.3.106, MS60 1.0.6.110, RAX50 1.0.2.72, RAX75 1.0.3.106, RBR750 3.2.16.6, RBR850 3.2.16.6, RBS750 3.2.16.6, RBS850 3.2.16.6, RBK752 3.2.16.6, and RBK852 3.2.16.6. The advisory was published on December 21, 2021 [1]. No workarounds are available; updating firmware is the only mitigation.