CVE-2021-45582

Vulnerability

An authenticated command injection vulnerability exists in certain NETGEAR Orbi WiFi system models. The vulnerability affects devices running firmware versions prior to [3.2.16.6]. This includes the following models: RBK752, RBR750, RBS750, RBK852, RBR850, and RBS850 [1]. An attacker must have valid administrative credentials to exploit this flaw.

Exploitation

To exploit the vulnerability, an attacker must first authenticate to the device's web interface. Once authenticated, they can send crafted requests that inject arbitrary operating system commands. The attack requires network access to the management interface (typically on the local network) and depends on a successful authentication step. The precise injection point is not publicly disclosed but is classified as a post-authentication command injection [1].

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary commands on the underlying operating system with elevated privileges. This can lead to full compromise of the device, including the ability to read sensitive data, modify system configuration, and potentially pivot to other devices on the network.

Mitigation

NETGEAR has released firmware version [3.2.16.6] for all affected models to fix this vulnerability. Users should update their devices to this version or later as soon as possible. The firmware can be downloaded from the NETGEAR Support website. No workarounds are provided by the vendor; the only mitigation is applying the firmware update [1].