CVE-2021-45660

Vulnerability

A server-side injection vulnerability exists in the firmware of several NETGEAR WiFi system models, including RBK40, RBR40, RBS40, RBK20, RBR20, RBS20, RBK50, RBR50, RBS50, and RBS50Y. Affected versions are those prior to firmware 2.5.1.16 for most models, and prior to 2.6.1.40 for the RBS50Y [1]. The vulnerability is present in the device's web management interface or other server-side components, allowing injection of malicious input.

Exploitation

An attacker with network access to the affected device can exploit this vulnerability by sending specially crafted requests to the device's management interface. No authentication is required, as the injection occurs before authentication checks [1]. The exact exploitation steps are not publicly detailed, but the vulnerability is classified as server-side injection, implying that the attacker can inject commands or data into server-side processing.

Impact

Successful exploitation could allow an attacker to execute arbitrary commands on the device with elevated privileges. This could lead to full compromise of the device, enabling information disclosure, denial of service, or use of the device as a pivot point for further network attacks [1].

Mitigation

NETGEAR has released fixed firmware versions: 2.5.1.16 for most affected models and 2.6.1.40 for the RBS50Y. Users are strongly advised to download and install the latest firmware from NETGEAR Support as soon as possible [1]. No workarounds are available; updating firmware is the only mitigation.