CVE-2021-45577

Vulnerability

A post-authentication command injection vulnerability exists in the firmware of several NETGEAR Orbi WiFi system models. The flaw allows an authenticated user to inject arbitrary operating system commands through the device's management interface. Affected models include RBK752, RBR750, RBS750, RBK852, RBR850, and RBS850 running firmware versions prior to 3.2.16.6 [1].

Exploitation

An attacker must first obtain valid administrative credentials for the target device. With authenticated access to the web-based management interface, the attacker can craft a malicious input that bypasses input sanitization and injects commands. The exact injection point is not publicly detailed, but the advisory confirms the vulnerability is exploitable by an authenticated user [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the underlying operating system with elevated privileges. This can lead to full compromise of the device, including unauthorized access to network traffic, modification of device settings, and potential lateral movement within the network [1].

Mitigation

NETGEAR has released firmware version 3.2.16.6 to address this vulnerability. Users are strongly advised to update their devices to this version or later via the NETGEAR Support page. No workarounds are provided; the only mitigation is applying the firmware update [1].