CVE-2021-45599

Vulnerability

A post-authentication command injection vulnerability exists in certain NETGEAR WiFi system models. Affected devices include CBR40 (before firmware 2.5.0.24), CBR750 (before 4.6.3.6), RBK852, RBR850, and RBS850 (all before firmware 3.2.17.12). The vulnerability allows an authenticated user to inject arbitrary commands into the system.[1]

Exploitation

An attacker must possess valid authentication credentials and network access to the vulnerable device. With this access, the attacker can send crafted input that bypasses input validation, leading to command injection. The exact attack vector is not detailed in the advisory, but it is classified as post-authentication and requires no user interaction beyond the attacker's own actions.[1]

Impact

Successful exploitation allows the attacker to execute arbitrary commands with elevated privileges (likely root), resulting in full device compromise. This can lead to disclosure of sensitive information, modification of device settings, and potential use of the device as a pivot for further attacks on the network. The CVSS score is 8.4 (High), with scope change and high impact on confidentiality, integrity, and availability.[1]

Mitigation

NETGEAR has released fixed firmware versions for all affected models: CBR40 version 2.5.0.24, CBR750 version 4.6.3.6, and RBK852/RBR850/RBS850 version 3.2.17.12. Users are strongly recommended to update to the latest firmware as soon as possible. No workarounds are provided for unpatched devices.[1]