Unrated severityNVD Advisory· Published Dec 26, 2021· Updated Aug 4, 2024

CVE-2021-45639

Description

Certain NETGEAR devices are affected by reflected XSS. This affects CBR40 before 2.5.0.10, EAX20 before 1.0.0.32, EAX80 before 1.0.1.62, EX6120 before 1.0.0.64, EX6130 before 1.0.0.44, EX7000 before 1.0.1.104, EX7500 before 1.0.0.72, R7000 before 1.0.11.110, R7900 before 1.0.4.30, R7960P before 1.4.1.66, R8000 before 1.0.4.62, RAX200 before 1.0.2.102, XR300 before 1.0.3.50, EX3700 before 1.0.0.90, MR60 before 1.0.5.102, R7000P before 1.3.2.126, R8000P before 1.4.1.66, RAX20 before 1.0.1.64, RAX50 before 1.0.2.28, RAX80 before 1.0.3.102, EX3800 before 1.0.0.90, MS60 before 1.0.5.102, R6900P before 1.3.2.126, R7900P before 1.4.1.66, RAX15 before 1.0.1.64, RAX45 before 1.0.2.28, RAX75 before 1.0.3.102, RBR750 before 3.2.16.6, RBR850 before 3.2.16.6, RBS750 before 3.2.16.6, RBS850 before 3.2.16.6, RBK752 before 3.2.16.6, and RBK852 before 3.2.16.6.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Reflected XSS vulnerability in multiple NETGEAR devices allows remote attackers to execute arbitrary script in a user's browser session.

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the web interface of multiple NETGEAR routers, extenders, and WiFi systems. Affected models include CBR40 before 2.5.0.10, EAX20 before 1.0.0.32, EAX80 before 1.0.1.62, and many others (see advisory [1] for full list). The vulnerability is triggered when the device reflects user-supplied input without proper sanitization.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing an XSS payload. The victim must be tricked into clicking the link while authenticated to the device's web interface. No special network access or authentication is required to deliver the payload; the attack can be performed remotely.

Impact

Successful exploitation allows the attacker to execute arbitrary HTML and JavaScript in the victim's browser session. This could lead to session hijacking, credential theft, or further attacks against the device or network.

Mitigation

NETGEAR has released firmware updates for all affected models. Users should download and install the latest firmware version as specified in the advisory [1]. No workarounds are available.

References

Security Advisory for Reflected Cross Site Scripting on Some Routers, Extenders, and WiFi Systems, PSV-2020-0121

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

NETGEAR/NETGEAR devicesdescription
Netgear/CBR40llm-fuzzy
Range: <2.5.0.10
Netgear/EAX20llm-fuzzy
Range: <1.0.0.32
Netgear/EAX80llm-fuzzy
Range: <1.0.1.62

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

kb.netgear.com/000064460/Security-Advisory-for-Reflected-Cross-Site-Scripting-on-Some-Routers-Extenders-and-WiFi-Systems-PSV-2020-0121mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000