CVE-2021-45634

Vulnerability

A pre-authentication command injection vulnerability exists in the web interfaces of several NETGEAR WiFi system models. The flaw affects the CBR750 running firmware versions prior to 4.6.3.6, and the RBK752, RBR750, RBS750, RBK852, RBR850, and RBS850 all running firmware versions prior to 3.2.17.12 [1]. An attacker can inject arbitrary operating system commands without requiring any prior authentication, as the vulnerable code processes user-supplied input before authentication checks [1].

Exploitation

An unauthenticated attacker with network access to the affected device can send crafted HTTP requests to the vulnerable endpoint. No user interaction or special privileges are required. By manipulating input parameters, the attacker can inject shell commands that the device executes with root privileges [1].

Impact

Successful exploitation allows an unauthenticated remote attacker to execute arbitrary commands on the device as root. This can lead to full compromise of the device, including complete control over network traffic, data exfiltration, lateral movement within the network, or disabling security features [1].

Mitigation

NETGEAR released fixed firmware versions: CBR750 to 4.6.3.6, and all other affected models to 3.2.17.12 [1]. Users should update immediately via the NETGEAR Support downloads page. No workaround is available; the only mitigation is applying the firmware update [1]. The vulnerability is not listed in CISA's known exploited vulnerabilities (KEV) catalog as of the publication date [1].