CVE-2020-35795
📋 TL;DR
This CVE describes a critical buffer overflow vulnerability in multiple NETGEAR routers, range extenders, and Orbi WiFi systems. An unauthenticated attacker can exploit this remotely to execute arbitrary code or cause denial of service. All listed NETGEAR devices running firmware versions below the specified thresholds are affected.
💻 Affected Systems
- NETGEAR AC2100
- AC2400
- AC2600
- CBK40
- CBR40
- D7800
- EAX20
- EAX80
- EX7500
- MK62
- MR60
- MS60
- R6120
- R6220
- R6230
- R6260
- R6330
- R6350
- R6400
- R6400v2
- R6700
- R6700v2
- R6700v3
- R6800
- R6850
- R6900P
- R6900
- R6900v2
- R7000
- R7000P
- R7200
- R7350
- R7400
- R7450
- R7800
- R7850
- R7900
- R7900P
- R7960P
- R8000
- R8000P
- R8900
- R9000
- RAX120
- RAX15
- RAX20
- RAX200
- RAX45
- RAX50
- RAX75
- RAX80
- RBK12
- RBR10
- RBS10
- RBK20
- RBR20
- RBS20
- RBK40
- RBR40
- RBS40
- RBK50
- RBR50
- RBS50
- RBK752
- RBR750
- RBS750
- RBK842
- RBR840
- RBS840
- RBK852
- RBR850
- RBS850
- RS400
- XR300
- XR450
- XR500
- XR700
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete device compromise, network takeover, credential theft, and lateral movement into connected networks.
Likely Case
Denial of service (device crash/reboot) or limited code execution to modify device settings and intercept network traffic.
If Mitigated
If properly patched or isolated, impact is minimal with only potential temporary service disruption from attack attempts.
🎯 Exploit Status
The vulnerability requires no authentication and has a high CVSS score, making it attractive for attackers. While no public PoC is confirmed, similar router vulnerabilities are often weaponized quickly.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Varies by device - see NETGEAR advisory for specific fixed versions
Restart Required: Yes
Instructions:
1. Identify your NETGEAR device model. 2. Visit the NETGEAR support page for your device. 3. Download the latest firmware version that addresses this vulnerability. 4. Log into your router admin interface. 5. Navigate to Advanced > Administration > Firmware Update. 6. Upload the downloaded firmware file. 7. Wait for the update to complete and router to reboot.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected devices from untrusted networks to limit attack surface
Disable Remote Management
allTurn off remote administration features to prevent external exploitation
🧯 If You Can't Patch
- Replace affected devices with patched models or alternative vendors
- Implement strict network access controls and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check your device's firmware version via the router admin interface (typically under Advanced > Administration > Firmware Update) and compare against the patched versions listed in the NETGEAR advisory.Check Version:
No CLI command - check via web interface at http://routerlogin.net or http://192.168.1.1Verify Fix Applied:
After updating firmware, verify the version number matches or exceeds the patched version specified for your device model in the NETGEAR advisory.📡 Detection & Monitoring
Log Indicators:
- Unexpected device reboots
- Unusual traffic patterns from router
- Failed authentication attempts to router admin interface
Network Indicators:
- Unusual outbound connections from router
- Traffic to known exploit servers
- Port scanning from router IP
SIEM Query:
Example: 'source_ip=router_ip AND (event_type="device_reboot" OR dest_port=80,443 AND user_agent contains exploit_pattern)'🔗 References
- https://kb.netgear.com/000062735/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Some-Routers-Range-Extenders-and-Orbi-WiFi-Systems-PSV-2020-0154
- https://kb.netgear.com/000062735/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Some-Routers-Range-Extenders-and-Orbi-WiFi-Systems-PSV-2020-0154
