CVE-2021-45620

Vulnerability

CVE-2021-45620 is a pre-authentication command injection vulnerability affecting a wide range of NETGEAR devices. The issue resides in the firmware of routers, extenders, and WiFi systems, and does not require any prior authentication. Affected models and their vulnerable firmware versions include: CBR40 before 2.5.0.24, CBR750 before 4.6.3.6, EAX20 before 1.0.0.58, EAX80 before 1.0.1.68, LAX20 before 1.1.6.28, MR60 before 1.0.6.116, MR80 before 1.1.2.20, MS60 before 1.0.6.116, MS80 before 1.1.2.20, MK62 before 1.0.6.116, MK83 before 1.1.2.20, R6400 before 1.0.1.70, R6400v2 before 1.0.4.106, R6700v3 before 1.0.4.106, R6900P before 1.3.3.140, R7000 before 1.0.11.126, R7000P before 1.3.3.140, R7850 before 1.0.5.74, R7900 before 1.0.4.46, R7900P before 1.4.2.84, R7960P before 1.4.2.84, R8000 before 1.0.4.74, R8000P before 1.4.2.84, RAX15 before 1.0.3.96, RAX20 before 1.0.3.96, RAX200 before 1.0.4.120, RAX35v2 before 1.0.3.96, RAX40v2 before 1.0.3.96, RAX43 before 1.0.3.96, RAX45 before 1.0.3.96, RAX50 before 1.0.3.96, RAX75 before 1.0.4.120, RAX80 before 1.0.4.120, RBK752 before 3.2.17.12, RBK852 before 3.2.17.12, RBR750 before 3.2.17.12, RBR850 before 3.2.17.12, RBS750 before 3.2.17.12, RBS850 before 3.2.17.12, RS400 before 1.5.1.80, XR1000 before 1.0.0.58, and XR300 before 1.0.3.68 [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability over the network without any prior access or credentials [1]. The attacker needs only network connectivity to the affected device. The exact vector is not publicly described in the available reference, but the advisory confirms that no authentication is required, meaning the attacker can send specially crafted requests to trigger command injection, achieving remote code execution as a high-privilege user.

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary operating system commands on the affected device with elevated privileges [1]. This can lead to full compromise of the device, including disclosure of sensitive information, modification of device configuration, denial of service, or use as a pivot point for further attacks on the local network.

Mitigation

NETGEAR has released fixed firmware versions for all affected models [1]. Users should update their devices to the following versions or later: CBR40 to 2.5.0.24, CBR750 to 4.6.3.6, EAX20 to 1.0.0.58, EAX80 to 1.0.1.68, LAX20 to 1.1.6.28, MR60 to 1.0.6.116, MR80 to 1.1.2.20, MS60 to 1.0.6.116, MS80 to 1.1.2.20, MK62 to 1.0.6.116, MK83 to 1.1.2.20, R6400 to 1.0.1.70, R6400v2 to 1.0.4.106, R6700v3 to 1.0.4.106, R6900P to 1.3.3.140, R7000 to 1.0.11.126, R7000P to 1.3.3.140, R7850 to 1.0.5.74, R7900 to 1.0.4.46, R7900P to 1.4.2.84, R7960P to 1.4.2.84, R8000 to 1.0.4.74, R8000P to 1.4.2.84, RAX15 to 1.0.3.96, RAX20 to 1.0.3.96, RAX200 to 1.0.4.120, RAX35v2 to 1.0.3.96, RAX40v2 to 1.0.3.96, RAX43 to 1.0.3.96, RAX45 to 1.0.3.96, RAX50 to 1.0.3.96, RAX75 to 1.0.4.120, RAX80 to 1.0.4.120, RBK752 to 3.2.17.12, RBK852 to 3.2.17.12, RBR750 to 3.2.17.12, RBR850 to 3.2.17.12, RBS750 to 3.2.17.12, RBS850 to 3.2.17.12, RS400 to 1.5.1.80, XR1000 to 1.0.0.58, and XR300 to 1.0.3.68 [1]. No workarounds are mentioned in the advisory. If updating is not possible, network-level access controls should be applied.