CVE-2021-45571

Vulnerability

The vulnerability is a post-authentication command injection issue present in multiple NETGEAR Orbi WiFi system models. Affected devices include RBK752, RBR750, RBS750, RBK852, RBR850, and RBS850 running firmware versions prior to 3.2.16.6. An authenticated user with administrative access can inject arbitrary commands through an unspecified input field, likely due to insufficient sanitization of user-supplied data before passing it to a system shell [1].

Exploitation

An attacker must first obtain valid administrative credentials for the affected device. Once authenticated to the web interface or management service, the attacker can inject commands by sending specially crafted input to a vulnerable parameter. The attack is network-accessible (adjacent network, per CVSS vector) and does not require user interaction beyond the initial authentication step [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands with the privileges of the web server process, which typically runs as root on these embedded devices. This gives the attacker full control over the device, including the ability to modify configuration, exfiltrate data, or launch further attacks within the local network [1].

Mitigation

NETGEAR released firmware version 3.2.16.6 to fix this vulnerability. Users should update their devices to this version or later immediately by downloading the latest firmware from NETGEAR Support and following the installation instructions. No workarounds are provided, and older firmware versions remain vulnerable [1].