CVE-2021-45635

Vulnerability

A pre-authentication command injection vulnerability exists in the firmware of multiple NETGEAR WiFi system models. The affected devices include CBR750 before 4.6.3.6, RBK752 before 3.2.17.12, RBR750 before 3.2.17.12, RBS750 before 3.2.17.12, RBK852 before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 3.2.17.12. The vulnerability allows an unauthenticated attacker to inject arbitrary commands, as no prior authentication is required to reach the vulnerable code path [1].

Exploitation

An attacker with network access to the affected device can send specially crafted requests to exploit the command injection flaw. No authentication or user interaction is required. The advisory does not provide specific technical details of the attack vector, but the vulnerability is classified as pre-authentication, meaning the attacker does not need valid credentials [1].

Impact

Successful exploitation permits the attacker to execute arbitrary commands on the device with elevated privileges, potentially leading to full compromise of the WiFi system. This includes the ability to install malware, pivot to other devices on the network, or exfiltrate sensitive information [1].

Mitigation

NETGEAR has released firmware updates to address this vulnerability. Users should upgrade CBR750 to version 4.6.3.6, and all other affected models (RBK752, RBR750, RBS750, RBK852, RBR850, RBS850) to version 3.2.17.12. No workarounds are mentioned; NETGEAR strongly recommends installing the latest firmware available [1].