CVE-2021-45630

Vulnerability

A pre-authentication command injection vulnerability exists in several NETGEAR WiFi system models. The flaw resides in the firmware's handling of certain network requests without proper input validation, allowing an unauthenticated attacker to inject arbitrary operating system commands. Affected models and firmware versions are: CBR40 before 2.5.0.24, CBR750 before 4.6.3.6, RBK752 before 3.2.17.12, RBR750 before 3.2.17.12, RBS750 before 3.2.17.12, RBK852 before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 3.2.17.12 [1].

Exploitation

An attacker does not require any prior authentication or network credentials. The vulnerability can be triggered by sending specially crafted network packets to the affected device's management interface or other exposed services. No user interaction is needed, and the attack can be carried out remotely from the local network or potentially from the internet if the device is exposed [1].

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary commands with root privileges on the device. This leads to full compromise of the WiFi system, including the ability to read sensitive data, modify device configuration, install malware, or use the device as a pivot for further network attacks [1].

Mitigation

NETGEAR has released fixed firmware versions for all affected models: CBR40 to 2.5.0.24, CBR750 to 4.6.3.6, and all other models to 3.2.17.12. The fixes were first published on 2021-09-26 [1]. Users should download and install the latest firmware from NETGEAR Support. No workarounds are available; updating is the only recommended mitigation.