CVE-2021-45601

Vulnerability

A post-authentication command injection vulnerability exists in the firmware of several NETGEAR WiFi system models. The flaw affects CBR40 before version 2.5.0.24, CBR750 before 4.6.3.6, RBK852 before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 3.2.17.12 [1]. An authenticated user can inject arbitrary operating system commands through a vulnerable input field or API endpoint.

Exploitation

To exploit this vulnerability, an attacker must have valid credentials for the device's administrative interface and be on the same adjacent network (CVSS vector AV:A/PR:H) [1]. No user interaction is required beyond the attacker's own actions. The attacker can send crafted requests containing command injection payloads to the affected component, leading to execution of arbitrary commands with root privileges.

Impact

Successful exploitation grants the attacker full command execution on the device. This results in a complete compromise of confidentiality, integrity, and availability, with a scope change (CVSS 8.4, High) [1]. The attacker can read sensitive data, modify device configuration, install malware, or disrupt network services.

Mitigation

NETGEAR released fixed firmware versions on 2021-09-26: CBR40 2.5.0.24, CBR750 4.6.3.6, RBK852 3.2.17.12, RBR850 3.2.17.12, and RBS850 3.2.17.12 [1]. Users should update to the latest firmware immediately via the NETGEAR Support page. No workarounds are documented; the only mitigation is applying the patch.