CVE-2021-45580

Vulnerability

A post-authentication command injection vulnerability exists in the web management interface of certain NETGEAR Orbi WiFi system models. Affected devices include RBK752, RBR750, RBS750, RBK852, RBR850, and RBS850 running firmware versions prior to 3.2.16.6. The vulnerability is triggered when an authenticated user sends specially crafted input to a vulnerable endpoint, allowing injection of operating system commands [1].

Exploitation

An attacker must first obtain valid credentials for the device's administrative web interface. With authenticated access, the attacker can send a crafted HTTP request containing command injection payloads to a vulnerable parameter. No additional privileges or user interaction beyond authentication are required. The attack can be launched from the local network (adjacent) as indicated by the CVSS vector [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the underlying operating system with root privileges. This can lead to full compromise of the device, including data exfiltration, installation of malware, or use of the device as a pivot point for further network attacks. The CVSS score is 8.4 (High) [1].

Mitigation

NETGEAR has released firmware version 3.2.16.6 to fix this vulnerability. Users should update their devices to this version or later immediately. The advisory provides instructions for downloading and installing the firmware from NETGEAR Support [1]. No workarounds are documented; updating is the only recommended mitigation.