CVE-2020-15636 – This is a critical remote code execution vulner... (How to Fix)

Q: What is the severity of CVE-2020-15636?

CVE-2020-15636 has a CVSS score of 9.8 (CRITICAL). This is a critical remote code execution vulnerability in NETGEAR routers that allows unauthenticated attackers to execute arbitrary code with root privileges. The flaw exists in the check_ra service and can be exploited by sending a specially crafted RAE_Policy.json file. Affected users include anyone using vulnerable NETGEAR router models with specific firmware versions.

📋 TL;DR

This is a critical remote code execution vulnerability in NETGEAR routers that allows unauthenticated attackers to execute arbitrary code with root privileges. The flaw exists in the check_ra service and can be exploited by sending a specially crafted RAE_Policy.json file. Affected users include anyone using vulnerable NETGEAR router models with specific firmware versions.

💻 Affected Systems

Products:

NETGEAR R6400
NETGEAR R6700
NETGEAR R7000
NETGEAR R7850
NETGEAR R7900
NETGEAR R8000
NETGEAR RS400
NETGEAR XR300

Versions: Firmware 1.0.4.84_10.0.58

Operating Systems: Router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Only specific firmware version is affected. Other versions may be vulnerable if similar code exists.

📦 What is this software?

R6700 Firmware by Netgear

View all CVEs affecting R6700 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router with root-level access, allowing attackers to intercept all network traffic, install persistent malware, pivot to internal networks, or brick the device.

🟠

Likely Case

Router takeover leading to man-in-the-middle attacks, credential theft, DNS hijacking, and botnet recruitment.

🟢

If Mitigated

No impact if patched or if the vulnerable service is disabled/blocked.

🌐 Internet-Facing: HIGH - Routers are directly internet-facing by design, and no authentication is required for exploitation.

🏢 Internal Only: LOW - This vulnerability requires network access to the router's management interface, which is typically internet-facing.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

ZDI published details and proof-of-concept. The vulnerability is straightforward to exploit with publicly available information.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Later firmware versions (check NETGEAR advisory for specific patched versions)

Vendor Advisory: https://kb.netgear.com/000062128/Security-Advisory-for-Pre-Authentication-Stack-Overflow-on-R6700v3-PSV-2020-0224

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install latest firmware. 4. Reboot router after update completes.

🔧 Temporary Workarounds

Disable Remote Management

all

Disable remote administration features to prevent external exploitation.

Log into router admin interface and disable 'Remote Management' in Advanced > Administration > Remote Management

Block check_ra Service

all

Use firewall rules to block access to the check_ra service port (typically port 80/443 for web interface).

Configure firewall to block inbound connections to router management ports from WAN interface

🧯 If You Can't Patch

Replace vulnerable router with a different model or from a different vendor
Place router behind another firewall that blocks all inbound management traffic

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under Advanced > Administration > Firmware Update

Check Version:

Log into router web interface and navigate to Advanced > Administration > Firmware Update to see current version

Verify Fix Applied:

Verify firmware version is newer than 1.0.4.84_10.0.58 and check that no unauthorized changes exist in router configuration

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /check_ra endpoint
Multiple failed authentication attempts followed by successful exploitation
Unexpected process execution or configuration changes

Network Indicators:

Unusual outbound connections from router
DNS queries to suspicious domains
Traffic patterns indicating man-in-the-middle activity

SIEM Query:

source="router_logs" AND (uri="/check_ra" OR process="check_ra")

📊 Metadata

CVE ID: CVE-2020-15636

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: August 20, 2020

Last Updated: November 21, 2024

🔗 References

https://kb.netgear.com/000062128/Security-Advisory-for-Pre-Authentication-Stack-Overflow-on-R6700v3-PSV-2020-0224 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-20-937/ Third Party Advisory,VDB Entry
https://kb.netgear.com/000062128/Security-Advisory-for-Pre-Authentication-Stack-Overflow-on-R6700v3-PSV-2020-0224 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-20-937/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-15636, you might also want to check these: