CVE-2021-45585

Vulnerability

A post-authentication command injection vulnerability exists in the web management interface of several NETGEAR Orbi WiFi system models. Affected firmware versions are prior to 3.2.16.6 for RBK752, RBR750, RBS750, RBK852, RBR850, and RBS850. The vulnerability allows an authenticated user to inject arbitrary operating system commands through a crafted request to the web interface, due to insufficient sanitization of user-supplied input [1].

Exploitation

To exploit this issue, an attacker must first authenticate to the affected device (i.e., have administrative credentials). Once logged in, the attacker can send a specially crafted HTTP request to the vulnerable endpoint, injecting commands that are executed with root privileges [1]. No additional user interaction is required beyond authentication.

Impact

Successful exploitation enables an authenticated attacker to execute arbitrary commands on the underlying operating system with root privileges. This can lead to full compromise of the device, including complete disclosure of sensitive data, modification of system files, and persistent unauthorized access. The CVSS score is 8.4 (Medium) with vector CVSS:3.1/AV:A/AC:L... [1].

Mitigation

NETGEAR released fixed firmware version 3.2.16.6 for all affected models. Users should download and apply the latest firmware from NETGEAR Support as soon as possible. No workarounds are provided by the vendor; updating to the patched version is the recommended and only mitigation [1].