CVE-2021-45627

Vulnerability

A pre-authentication command injection vulnerability exists in several NETGEAR WiFi system models, including the CBR750, RBK852, RBR850, and RBS850. The vulnerability affects firmware versions prior to 4.6.3.6 for the CBR750 and prior to 3.2.17.12 for the RBK852, RBR850, and RBS850 [1]. An unauthenticated attacker can exploit this flaw without any prior access or authentication.

Exploitation

An attacker with network access to the affected device (adjacent network, as per CVSS vector) can send specially crafted requests to trigger command injection. No authentication or user interaction is required [1]. The exact attack vector is not detailed in the advisory, but the vulnerability is classified as pre-authentication, meaning the injection occurs before any login process.

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the device with high privileges. The CVSS score of 9.6 (Critical) indicates a severe impact on confidentiality, integrity, and availability, with a scope change [1]. This could lead to full device compromise, including data exfiltration, configuration changes, or denial of service.

Mitigation

NETGEAR has released fixed firmware versions: 4.6.3.6 for the CBR750 and 3.2.17.12 for the RBK852, RBR850, and RBS850 [1]. Users are strongly advised to download and install the latest firmware from NETGEAR Support. No workarounds are provided, and the vulnerability remains exploitable if firmware is not updated.