CVE-2021-20167
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary commands on Netgear RAX43 routers by injecting malicious commands into the name parameter of the readycloud CGI application. Attackers can gain full control of affected devices, potentially compromising network security and connected systems. Only Netgear RAX43 routers running vulnerable firmware versions are affected.
💻 Affected Systems
- Netgear RAX43
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the router allowing attackers to intercept all network traffic, install persistent backdoors, pivot to internal network devices, and use the router as a launch point for further attacks.
Likely Case
Attackers gain shell access to the router, modify DNS settings to redirect traffic, steal credentials from connected devices, and potentially install cryptocurrency miners or botnet malware.
If Mitigated
With proper network segmentation and firewall rules, impact is limited to the router itself, though attackers could still modify router settings and intercept traffic passing through the device.
🎯 Exploit Status
The vulnerability is in a CGI application accessible via HTTP, requiring no authentication. Public exploit code exists and the attack is straightforward to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.0.3.102 or later
Vendor Advisory: https://kb.netgear.com/000064437/Security-Advisory-for-Command-Injection-Vulnerability-on-RAX43-PSV-2021-0010
Restart Required: Yes
Instructions:
1. Log into router admin interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install version 1.0.3.102 or later. 4. Reboot router after update completes.
🔧 Temporary Workarounds
Disable ReadyCloud
allDisable the vulnerable ReadyCloud feature to prevent exploitation
Log into router admin interface
Navigate to Advanced > ReadyCloud
Disable ReadyCloud feature
Restrict WAN Access
allBlock external access to router administration interface
Log into router admin interface
Navigate to Advanced > Security > Block Sites
Add rules to block external access to admin ports
🧯 If You Can't Patch
- Isolate the router on a separate VLAN with strict firewall rules limiting traffic to/from the device
- Implement network monitoring to detect command injection attempts and unusual router behavior
🔍 How to Verify
Check if Vulnerable:
Check router firmware version via admin interface or using command: curl -s http://router-ip/debug.htm | grep FirmwareCheck Version:
curl -s http://router-ip/debug.htm | grep 'Firmware Version'Verify Fix Applied:
Verify firmware version is 1.0.3.102 or higher in router admin interface under Advanced > Administration > Firmware Update📡 Detection & Monitoring
Log Indicators:
- Unusual CGI requests to /readycloud.cgi with shell metacharacters in parameters
- Unexpected processes spawned from httpd or cgi processes
- Router configuration changes without administrator action
Network Indicators:
- HTTP requests containing shell commands (semicolons, pipes, backticks) to router IP
- Outbound connections from router to suspicious IPs or domains
- DNS queries from router to unusual domains
SIEM Query:
source="router_logs" AND (uri="/readycloud.cgi" AND (param="*;*" OR param="*|*" OR param="*`*"))