CVE-2021-45594

Vulnerability

A post-authentication command injection vulnerability exists in certain NETGEAR WiFi system products. The affected models include RBS50Y, RBR20, RBR40, RBR50, RBS20, RBS40, RBS50, RBK20, RBK40, and RBK50 running firmware versions prior to 2.7.3.22. The vulnerability allows an authenticated user to inject arbitrary operating system commands through an unspecified input field [1].

Exploitation

An attacker must first obtain valid credentials for the device's administrative interface. No additional network position or user interaction beyond authentication is specified in the available references. Once authenticated, the attacker can inject commands via the vulnerable input, which are then executed by the device's operating system [1].

Impact

Successful exploitation enables an authenticated attacker to execute arbitrary commands on the affected NETGEAR device with the privileges of the underlying system. This can lead to complete compromise of the device's confidentiality, integrity, and availability, including potential data exfiltration, modification of device configuration, or denial of service [1].

Mitigation

NETGEAR has released firmware version 2.7.3.22 to address this vulnerability. Users should update the affected devices to this version or later as soon as possible. The firmware can be obtained from the NETGEAR Support website by following the standard download and installation instructions [1]. No workaround is documented.