CVE-2021-45661

Vulnerability

A server-side injection vulnerability exists in several NETGEAR WiFi system models. Affected devices include RBK40, RBR40, RBS40, RBK20, RBR20, RBS20, RBK50, RBR50, and RBS50 running firmware versions prior to 2.5.1.16, and RBS50Y running firmware versions prior to 2.6.1.40 [1]. The vulnerability is present in the firmware's handling of certain inputs, allowing injection of malicious data that is processed server-side.

Exploitation

An attacker with network access to the affected device can exploit this vulnerability by sending specially crafted requests. The advisory does not detail the exact attack vector, but server-side injection typically involves injecting malicious input that is processed by the server without proper sanitization [1]. No authentication is required for exploitation.

Impact

Successful exploitation could allow an attacker to execute arbitrary commands on the device, potentially leading to full compromise of the WiFi system. This could result in unauthorized access to network traffic, configuration changes, or further lateral movement within the network [1].

Mitigation

NETGEAR has released fixed firmware versions: 2.5.1.16 for most models and 2.6.1.40 for RBS50Y. Users are strongly recommended to download and install the latest firmware from NETGEAR Support as soon as possible [1]. No workarounds are provided; updating firmware is the only mitigation.