Login Sign Up

CVE-2020-26897

9.6 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to retrieve administrative credentials from affected NETGEAR WiFi systems. Attackers could gain full administrative control over the devices. Affected devices include specific models of NETGEAR Orbi and Nighthawk WiFi systems running vulnerable firmware versions.

💻 Affected Systems

Products:
  • NETGEAR CBR40
  • NETGEAR RBK752
  • NETGEAR RBR750
  • NETGEAR RBS750
  • NETGEAR RBK852
  • NETGEAR RBR850
  • NETGEAR RBS850
Versions: CBR40 before 2.5.0.10, RBK752/RBR750/RBS750 before 3.2.15.25, RBK852/RBR850/RBS850 before 3.2.10.11
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects both router and satellite units in mesh systems. All default configurations are vulnerable.

📦 What is this software?

Cbr40 Firmware by Netgear

View all CVEs affecting Cbr40 Firmware →

Rbk752 Firmware by Netgear

View all CVEs affecting Rbk752 Firmware →

Rbk852 Firmware by Netgear

View all CVEs affecting Rbk852 Firmware →

Rbr750 Firmware by Netgear

View all CVEs affecting Rbr750 Firmware →

Rbr850 Firmware by Netgear

View all CVEs affecting Rbr850 Firmware →

Rbs750 Firmware by Netgear

View all CVEs affecting Rbs750 Firmware →

Rbs850 Firmware by Netgear

View all CVEs affecting Rbs850 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of the WiFi system allowing attackers to intercept all network traffic, modify device configurations, install malware, and pivot to other connected devices.

🟠

Likely Case

Attackers gain administrative access to the router, enabling them to change DNS settings, redirect traffic, or disable security features.

🟢

If Mitigated

If proper network segmentation and monitoring are in place, impact may be limited to the compromised device only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Credential disclosure vulnerability typically requires network access to the device's management interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: CBR40: 2.5.0.10 or later; RBK752/RBR750/RBS750: 3.2.15.25 or later; RBK852/RBR850/RBS850: 3.2.10.11 or later

Vendor Advisory: https://kb.netgear.com/000062357/Security-Advisory-for-Admin-Credential-Disclosure-on-Some-WiFi-Systems-PSV-2020-0045

Restart Required: Yes

Instructions:

1. Log into NETGEAR router admin interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and apply if available. 4. Reboot device after update completes.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevents external access to the admin interface

Change Admin Credentials

all

Change default admin password to strong unique password

🧯 If You Can't Patch

  • Isolate affected devices in separate VLAN with restricted access
  • Implement network monitoring for unusual admin login attempts

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under Advanced > Administration > Firmware Update

Check Version:

Check via web interface or use NETGEAR Nighthawk app

Verify Fix Applied:

Confirm firmware version matches or exceeds patched versions listed in advisory

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts followed by successful admin login
  • Admin login from unusual IP addresses

Network Indicators:

  • Unusual traffic to router admin port (typically 80/443)
  • DNS configuration changes without authorization

SIEM Query:

source="router_logs" AND (event="admin_login" AND src_ip NOT IN [authorized_ips])

📊 Metadata

CVE ID: CVE-2020-26897
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Published: October 9, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON