Login Sign Up

CVE-2020-26903

9.6 CRITICAL

📋 TL;DR

This vulnerability allows attackers to obtain administrative credentials on affected NETGEAR WiFi systems. Attackers can gain full administrative control over the devices, potentially compromising the entire network. The vulnerability affects specific NETGEAR CBR40, RBK752, RBR750, RBS750, RBK852, RBR850, and RBS850 devices running outdated firmware.

💻 Affected Systems

Products:
  • NETGEAR CBR40
  • NETGEAR RBK752
  • NETGEAR RBR750
  • NETGEAR RBS750
  • NETGEAR RBK852
  • NETGEAR RBR850
  • NETGEAR RBS850
Versions: CBR40 before 2.5.0.10; RBK752/RBR750/RBS750 before 3.2.15.25; RBK852/RBR850/RBS850 before 3.2.10.11
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects specific firmware versions of these NETGEAR WiFi systems. All devices running affected firmware are vulnerable by default.

📦 What is this software?

Cbr40 Firmware by Netgear

View all CVEs affecting Cbr40 Firmware →

Rbk752 Firmware by Netgear

View all CVEs affecting Rbk752 Firmware →

Rbk852 Firmware by Netgear

View all CVEs affecting Rbk852 Firmware →

Rbr750 Firmware by Netgear

View all CVEs affecting Rbr750 Firmware →

Rbr850 Firmware by Netgear

View all CVEs affecting Rbr850 Firmware →

Rbs750 Firmware by Netgear

View all CVEs affecting Rbs750 Firmware →

Rbs850 Firmware by Netgear

View all CVEs affecting Rbs850 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full network compromise: attackers gain administrative access, can reconfigure devices, intercept traffic, install malware, and pivot to other network systems.

🟠

Likely Case

Unauthorized administrative access leading to network configuration changes, traffic monitoring, and potential credential theft from connected devices.

🟢

If Mitigated

Limited impact if devices are behind firewalls, have strong network segmentation, and attackers cannot reach the administrative interface.

🌐 Internet-Facing: HIGH - If administrative interfaces are exposed to the internet, attackers can remotely exploit this without network access.
🏢 Internal Only: HIGH - Even internally, any compromised device or malicious insider could exploit this to gain administrative privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The advisory indicates credential disclosure without authentication requirements, suggesting low complexity exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: CBR40: 2.5.0.10 or later; RBK752/RBR750/RBS750: 3.2.15.25 or later; RBK852/RBR850/RBS850: 3.2.10.11 or later

Vendor Advisory: https://kb.netgear.com/000062351/Security-Advisory-for-Admin-Credential-Disclosure-on-Some-WiFi-Systems-PSV-2020-0043

Restart Required: Yes

Instructions:

1. Log into NETGEAR router admin interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install latest firmware. 4. Reboot device after update completes.

🔧 Temporary Workarounds

Restrict administrative interface access

all

Limit access to router administrative interface to trusted IP addresses only

Change administrative credentials

all

Change default or current administrative passwords to strong, unique credentials

🧯 If You Can't Patch

  • Isolate affected devices in separate network segments with strict firewall rules
  • Disable remote administrative access and only allow local network administration

🔍 How to Verify

Check if Vulnerable:

Access router admin interface, navigate to Advanced > Administration > Firmware Update, check current firmware version against affected versions list.

Check Version:

Check via web interface at Advanced > Administration > Firmware Update or via router login page

Verify Fix Applied:

Confirm firmware version matches or exceeds patched versions: CBR40 ≥2.5.0.10, RBK752/RBR750/RBS750 ≥3.2.15.25, RBK852/RBR850/RBS850 ≥3.2.10.11

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts followed by successful administrative access
  • Unusual administrative configuration changes
  • Access from unexpected IP addresses to administrative interface

Network Indicators:

  • Unusual traffic patterns from router administrative ports
  • Administrative interface access from unauthorized networks

SIEM Query:

source="router_logs" AND (event_type="admin_login" OR event_type="config_change") AND src_ip NOT IN [trusted_admin_ips]

📊 Metadata

CVE ID: CVE-2020-26903
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Published: October 9, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON