CVE-2021-45615

Vulnerability

A pre-authentication command injection vulnerability exists in several NETGEAR router and WiFi system models. The flaw allows an unauthenticated attacker to inject arbitrary commands through a specially crafted request. Affected models include CBR40 before 2.5.0.24, CBR750 before 4.6.3.6, R7900P before 1.4.2.84, R7960P before 1.4.2.84, R8000P before 1.4.2.84, R8300 before 1.0.2.154, R8500 before 1.0.2.154, RBK752 before 3.2.17.12, RBR750 before 3.2.17.12, RBS750 before 3.2.17.12, RBK852 before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 3.2.17.12 [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a malicious request to the affected device over the network. No authentication or user interaction is required. The exact attack vector is not detailed in the available references, but the advisory confirms that the injection occurs before authentication [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the device with root or system-level privileges. This can lead to full compromise of the device, including data exfiltration, further network attacks, or denial of service [1].

Mitigation

NETGEAR has released firmware updates to fix this vulnerability. Users should upgrade to the following versions or later: CBR40 to 2.5.0.24, CBR750 to 4.6.3.6, R7900P/R7960P/R8000P to 1.4.2.84, R8300/R8500 to 1.0.2.154, and all Orbi models (RBK752, RBR750, RBS750, RBK852, RBR850, RBS850) to 3.2.17.12. The firmware can be downloaded from NETGEAR Support [1]. No workarounds are provided.