Login Sign Up

CVE-2020-27872

8.8 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows network-adjacent attackers to bypass authentication on NETGEAR R7450 routers by exploiting improper state tracking in the password recovery process. Attackers can leverage this with other vulnerabilities to execute code as root. Only users of affected NETGEAR router models are impacted.

💻 Affected Systems

Products:
  • NETGEAR R7450
Versions: 1.2.0.62_1.0.1
Operating Systems: Router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the mini_httpd service listening on TCP port 80. Other NETGEAR models may be affected but this CVE specifically references R7450.

📦 What is this software?

Ac2100 Firmware by Netgear

View all CVEs affecting Ac2100 Firmware →

Ac2400 Firmware by Netgear

View all CVEs affecting Ac2400 Firmware →

Ac2600 Firmware by Netgear

View all CVEs affecting Ac2600 Firmware →

R6020 Firmware by Netgear

View all CVEs affecting R6020 Firmware →

R6080 Firmware by Netgear

View all CVEs affecting R6080 Firmware →

R6120 Firmware by Netgear

View all CVEs affecting R6120 Firmware →

R6220 Firmware by Netgear

View all CVEs affecting R6220 Firmware →

R6230 Firmware by Netgear

View all CVEs affecting R6230 Firmware →

R6260 Firmware by Netgear

View all CVEs affecting R6260 Firmware →

R6330 Firmware by Netgear

View all CVEs affecting R6330 Firmware →

R6350 Firmware by Netgear

View all CVEs affecting R6350 Firmware →

R6700 Firmware by Netgear

View all CVEs affecting R6700 Firmware →

R6800 Firmware by Netgear

View all CVEs affecting R6800 Firmware →

R6850 Firmware by Netgear

View all CVEs affecting R6850 Firmware →

R6900 Firmware by Netgear

View all CVEs affecting R6900 Firmware →

R7200 Firmware by Netgear

View all CVEs affecting R7200 Firmware →

R7350 Firmware by Netgear

View all CVEs affecting R7350 Firmware →

R7400 Firmware by Netgear

View all CVEs affecting R7400 Firmware →

R7450 Firmware by Netgear

View all CVEs affecting R7450 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full router compromise with root-level code execution, allowing attackers to intercept all network traffic, modify router settings, and use the router as a foothold into the internal network.

🟠

Likely Case

Authentication bypass leading to unauthorized access to router administration interface, potentially enabling configuration changes and credential theft.

🟢

If Mitigated

Limited impact if router is not internet-facing and network segmentation prevents lateral movement from compromised devices.

🌐 Internet-Facing: HIGH - Routers with web administration exposed to internet are directly exploitable by remote attackers.
🏢 Internal Only: MEDIUM - Network-adjacent attackers on the same LAN can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Authentication not required. Exploit requires network adjacency and may need chaining with other vulnerabilities for full code execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version 1.2.0.62_1.0.1 or later (check NETGEAR advisory for exact fixed version)

Vendor Advisory: https://kb.netgear.com/000062641/Security-Advisory-for-Password-Recovery-Vulnerabilities-on-Some-Routers

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and apply latest firmware. 4. Reboot router after update completes.

🔧 Temporary Workarounds

Disable remote administration

all

Prevent external access to router web interface

Navigate to Advanced > Administration > Remote Management and disable

Change default admin password

all

Use strong unique password for router administration

Navigate to Advanced > Administration > Set Password

🧯 If You Can't Patch

  • Segment router management interface to isolated VLAN
  • Implement network access controls to limit who can reach router administration interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under Advanced > Administration > Firmware Update

Check Version:

Check router web interface or use nmap scan on port 80 to identify service version

Verify Fix Applied:

Verify firmware version is updated to patched version and test password recovery functionality

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed authentication attempts followed by successful login
  • Unusual password reset or recovery requests
  • Access from unexpected IP addresses to admin interface

Network Indicators:

  • Unusual HTTP requests to router port 80 containing password recovery parameters
  • Traffic patterns suggesting router configuration changes

SIEM Query:

source="router_logs" AND (event="authentication" AND result="success" AND user="admin") OR (url CONTAINS "password" OR "recovery")

📊 Metadata

CVE ID: CVE-2020-27872
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-642
Published: February 4, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-27872, you might also want to check these:

CVE-2025-49090 7.1

This vulnerability in the Matrix specification before version 1.16 allows attackers to manipulate ro...

Same vulnerability type (CWE-642)
CVE-2024-22387 6.8

This vulnerability allows authenticated users of Gallagher Controller 6000/7000 diagnostic web inter...

Same vulnerability type (CWE-642)
CVE-2024-8754 6.4

This vulnerability allows attackers to squat on GitLab accounts by linking arbitrary unclaimed provi...

Same vulnerability type (CWE-642)