CVE-2021-45597

Vulnerability

A post-authentication command injection vulnerability exists in the web management interface of several NETGEAR WiFi System models. Affected devices are CBR40 prior to firmware version 2.5.0.24, CBR750 prior to 4.6.3.6, RBR850 and RBS850 prior to 3.2.17.12 [1]. The vulnerability stems from insufficient input validation on the admin web interface, allowing an authenticated user to inject operating system commands [1].

Exploitation

An attacker must have valid administrative credentials to the device's web interface. With these credentials, the attacker sends crafted HTTP requests to a vulnerable endpoint, injecting shell commands via unsanitized parameters. No user interaction is required beyond the initial authentication [1]. The attack vector is adjacent network (CVSS:3.1/AV:A) [1].

Impact

Successful exploitation results in arbitrary command execution with the highest system privileges (root) on the device. This can lead to a complete compromise of confidentiality, integrity, and availability, as the attacker can read, modify, or delete any data, install persistent malware, or use the device as a pivot point [1].

Mitigation

NETGEAR has released fixed firmware versions: CBR40 2.5.0.24, CBR750 4.6.3.6, RBR850 and RBS850 3.2.17.12 [1]. Users should update through the NETGEAR Support page [1]. The vulnerability is post-authentication; no workaround is available if the firmware cannot be updated, so limiting access to the management interface via firewall rules is recommended [1].