Unrated severityNVD Advisory· Published Dec 26, 2021· Updated Aug 4, 2024

CVE-2021-45600

Description

Certain NETGEAR devices are affected by command injection by an authenticated user. This affects CBR750 before 4.6.3.6, RBK852 before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 3.2.17.12.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated command injection in multiple NETGEAR WiFi system models allows attackers to execute arbitrary commands with high privileges.

Vulnerability

A post-authentication command injection vulnerability exists in the firmware of multiple NETGEAR WiFi system models [1]. The flaw allows an authenticated user to inject arbitrary operating system commands. Affected models include the CBR750 (firmware versions before 4.6.3.6), RBK852 (before 3.2.17.12), RBR850 (before 3.2.17.12), and RBS850 (before 3.2.17.12) [1]. The vulnerability is reachable when an attacker has valid credentials for the device's administrative interface.

Exploitation

An attacker must first obtain authenticated access to the device, which requires high privileges (e.g., administrator credentials) [1]. The attack vector is adjacent network (AV:A), meaning the attacker must be on the same local network as the device. No user interaction is required. With valid credentials, the attacker can send specially crafted requests to the device's management interface, leading to command injection [1]. The exact injection point is not publicly detailed, but the advisory confirms the vulnerability is exploitable post-authentication.

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the underlying operating system with elevated privileges [1]. The CVSS v3.1 score is 8.4 (High) with a vector of AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating a scope change and high impact on confidentiality, integrity, and availability [1]. This could lead to full compromise of the affected device, including access to sensitive data, modification of system settings, and potential use as a pivot point for further attacks on the network.

Mitigation

NETGEAR has released firmware updates to address this vulnerability [1]. The fixed versions are: CBR750 firmware version 4.6.3.6, and for RBK852, RBR850, and RBS850 firmware version 3.2.17.12 [1]. Users are strongly advised to download and install the latest firmware from NETGEAR Support. No workarounds are provided, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References

Security Advisory for Post-Authentication Command Injection on Some WiFi Systems, PSV-2020-0555

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

NETGEAR/NETGEAR devicesdescription
Netgear/RBK852llm-fuzzy
Range: < 3.2.17.12
Netgear/RBR850llm-fuzzy
Range: < 3.2.17.12
Netgear/CBR750llm-fuzzy
Range: < 4.6.3.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

kb.netgear.com/000064146/Security-Advisory-for-Post-Authentication-Command-Injection-on-Some-WiFi-Systems-PSV-2020-0555mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000