CVE-2020-35800
📋 TL;DR
CVE-2020-35800 is a security misconfiguration vulnerability affecting numerous NETGEAR routers, range extenders, and Orbi WiFi systems. It allows attackers to bypass authentication and access administrative interfaces due to incorrect security settings. Users with affected devices running vulnerable firmware versions are at risk.
💻 Affected Systems
- NETGEAR AC2100
- AC2400
- AC2600
- CBK40
- CBR40
- D6000
- D6220
- D6400
- D7000v2
- D7800
- D8500
- DC112A
- DGN2200v4
- DM200
- EAX20
- EAX80
- EX2700
- EX3110
- EX3700
- EX3800
- EX3920
- EX6000
- EX6100v2
- EX6110
- EX6120
- EX6130
- EX6150v1
- EX6150v2
- EX6200v1
- EX6250
- EX6400
- EX6400v2
- EX6410
- EX6920
- EX7000
- EX7300
- EX7300v2
- EX7320
- EX7500
- EX7700
- EX8000
- MK62
- MR60
- MS60
- R6120
- R6220
- R6230
- R6250
- R6260
- R6300v2
- R6330
- R6350
- R6400v1
- R6400v2
- R6700v1
- R6700v2
- R6700v3
- R6800
- R6850
- R6900
- R6900P
- R6900v2
- R7000
- R7000P
- R7100LG
- R7200
- R7350
- R7400
- R7450
- R7500v2
- R7800
- R7850
- R7900
- R7900P
- R7960P
- R8000
- R8000P
- R8300
- R8500
- R8900
- R9000
- RAX120
- RAX15
- RAX20
- RAX200
- RAX35
- RAX40
- RAX45
- RAX50
- RAX75
- RAX80
- RBK12
- RBR10
- RBS10
- RBK20
- RBR20
- RBS20
- RBK40
- RBR40
- RBS40
- RBK50
- RBR50
- RBS50
- RBK752
- RBR750
- RBS750
- RBK842
- RBR840
- RBS840
- RBK852
- RBR850
- RBS850
- RBS40V
- RBS40V-200
- RBS50Y
- RBW30
- RS400
- WN2500RPv2
- WN3000RPv3
- WN3500RPv1
- WNDR3400v3
- WNR1000v3
- WNR2000v2
- XR300
- XR450
- XR500
- XR700
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full device compromise allowing attackers to reconfigure network settings, intercept traffic, install malware, or use the device as a pivot point into the internal network.
Likely Case
Unauthorized access to router administration panel leading to network configuration changes, DNS hijacking, or credential theft.
If Mitigated
Limited impact if devices are behind firewalls, not internet-facing, and have strong network segmentation.
🎯 Exploit Status
The vulnerability allows unauthenticated access to administrative interfaces, making exploitation straightforward if the device is accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions specified in CVE description (e.g., AC2100 1.2.0.72 or later)
Vendor Advisory: https://kb.netgear.com/000062733/Security-Advisory-for-Security-Misconfiguration-on-Some-Routers-Range-Extenders-and-Orbi-WiFi-Systems-PSV-2020-0112
Restart Required: Yes
Instructions:
1. Identify your device model and current firmware version via web interface. 2. Visit NETGEAR support site for your model. 3. Download the patched firmware version. 4. Upload and install via web interface. 5. Reboot device after installation.
🔧 Temporary Workarounds
Disable Remote Management
allPrevents external access to administrative interface.
Use Strong Network Segmentation
allPlace affected devices on isolated network segments to limit attack surface.
🧯 If You Can't Patch
- Replace affected devices with patched models or alternative vendors
- Implement strict firewall rules to block all inbound access to device administration ports (typically 80/443)
🔍 How to Verify
Check if Vulnerable:
Check firmware version in device web interface under Advanced > Administration or similar and compare with patched versions in CVE description.Check Version:
No CLI command; use web interface at http://[router-ip] and navigate to firmware information page.Verify Fix Applied:
Confirm firmware version matches or exceeds patched version listed in vendor advisory.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to administrative web interface
- Unexpected configuration changes in router logs
Network Indicators:
- Unusual external connections to router administration ports (80, 443, 8080)
- Traffic patterns suggesting device compromise
SIEM Query:
source="router_logs" AND (event="authentication_failure" OR event="admin_access") AND dest_port IN (80, 443, 8080)