VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 29, 2023· Updated Feb 18, 2025

CVE-2022-27642

CVE-2022-27642

Description

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700v3 1.0.4.120_10.0.91 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-15854.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A flaw in NETGEAR R6700v3's httpd authentication logic allows unauthenticated network-adjacent attackers to access protected pages and potentially execute code as root.

Vulnerability

This authentication bypass vulnerability affects NETGEAR R6700v3 routers running firmware version 1.0.4.120_10.0.91 and possibly other models. The flaw resides in the httpd service and results from incorrect string matching logic when evaluating access to protected pages. An attacker does not require authentication to exploit this vulnerability. NETGEAR has released fixes for numerous models including R6700v3 (firmware version 1.0.4.126) as part of advisory PSV-2021-0327 [1][2].

Exploitation

An attacker must be network-adjacent (e.g., on the same WiFi network or connected via Ethernet) and does not need any credentials. The specific steps involve sending crafted HTTP requests that exploit the weak string-matching check in the httpd service, thereby bypassing the authentication mechanism for protected pages [1][2].

Impact

Successful exploitation allows the attacker to bypass authentication and access otherwise protected administrative interfaces or resources. The advisory states that this can be leveraged in conjunction with other vulnerabilities to achieve code execution in the context of root, leading to full compromise of the router [1][2].

Mitigation

NETGEAR has released fixed firmware version 1.0.4.126 for the R6700v3 on 2022-03-17. Users should upgrade via the router's administration interface. The fix addresses the string matching flaw. For other affected models, refer to NETGEAR's advisory PSV-2021-0327 for the appropriate fixed firmware version [1][2].

References
  1. Security Advisory for Multiple Vulnerabilities on Multiple Products, PSV-2021-0327
  2. ZDI-22-518

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Netgear/R6700v3llm-create
    Range: = 1.0.4.120_10.0.91
  • NETGEAR/R6700v3v5
    Range: 1.0.4.120_10.0.91

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.