CVE-2021-45616
Description
Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects CBR750 before 3.2.18.2, LAX20 before 1.1.6.28, MK62 before 1.0.6.116, MR60 before 1.0.6.116, MS60 before 1.0.6.116, R6900P before 1.3.3.140, R7000 before 1.0.11.126, R7000P before 1.3.3.140, R7850 before 1.0.5.68, R7900 before 1.0.4.46, R7900P before 1.4.2.84, R7960P before 1.4.2.84, R8000 before 1.0.4.68, R8000P before 1.4.2.84, RAX15 before 1.0.3.96, RAX20 before 1.0.3.96, RAX200 before 1.0.4.120, RAX35v2 before 1.0.3.96, RAX40v2 before 1.0.3.96, RAX43 before 1.0.3.96, RAX45 before 1.0.3.96, RAX50 before 1.0.3.96, RAX75 before 1.0.4.120, RAX80 before 1.0.4.120, RBK752 before 3.2.17.12, RBK852 before 3.2.17.12, RBR750 before 3.2.17.12, RBR850 before 3.2.17.12, RBS750 before 3.2.17.12, RBS850 before 3.2.17.12, RS400 before 1.5.1.80, and XR1000 before 1.0.0.58.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated command injection vulnerability in multiple NETGEAR routers and WiFi systems allows remote attackers to execute arbitrary commands.
Vulnerability
CVE-2021-45616 is a pre-authentication command injection vulnerability affecting numerous NETGEAR router and WiFi system models. The flaw resides in the firmware of devices such as CBR750 (before 3.2.18.2), LAX20 (before 1.1.6.28), MK62 (before 1.0.6.116), MR60 (before 1.0.6.116), MS60 (before 1.0.6.116), R6900P (before 1.3.3.140), R7000 (before 1.0.11.126), R7000P (before 1.3.3.140), R7850 (before 1.0.5.68), R7900 (before 1.0.4.46), R7900P (before 1.4.2.84), R7960P (before 1.4.2.84), R8000 (before 1.0.4.68), R8000P (before 1.4.2.84), RAX15 (before 1.0.3.96), RAX20 (before 1.0.3.96), RAX200 (before 1.0.4.120), RAX35v2 (before 1.0.3.96), RAX40v2 (before 1.0.3.96), RAX43 (before 1.0.3.96), RAX45 (before 1.0.3.96), RAX50 (before 1.0.3.96), RAX75 (before 1.0.4.120), RAX80 (before 1.0.4.120), RBK752 (before 3.2.17.12), RBK852 (before 3.2.17.12), RBR750 (before 3.2.17.12), RBR850 (before 3.2.17.12), RBS750 (before 3.2.17.12), RBS850 (before 3.2.17.12), RS400 (before 1.5.1.80), and XR1000 (before 1.0.0.58). An attacker can exploit this without any prior authentication, making the attack surface broad [1].
Exploitation
An unauthenticated attacker can send a specially crafted HTTP request to the affected device's management interface or other exposed services. The vulnerability allows the injection of arbitrary operating system commands due to insufficient input sanitization. No user interaction or special network position is required beyond network access to the device [1].
Impact
Successful exploitation grants the attacker arbitrary command execution on the device, typically with root privileges. This can lead to full compromise of the router or WiFi system, including data exfiltration, installation of malware, denial of service, or use of the device as a pivot point for further attacks on the internal network [1].
Mitigation
NETGEAR has released firmware updates for all affected models. Users should immediately upgrade to the fixed versions listed in the advisory: for example, CBR750 to 3.2.18.2, LAX20 to 1.1.6.28, and so on. The advisory was published on December 22, 2021, and no workarounds are provided; updating firmware is the only mitigation [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- NETGEAR/NETGEARdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.