CVE-2021-27274 – This is an unauthenticated remote code executio... (How to Fix)

Q: What is the severity of CVE-2021-27274?

CVE-2021-27274 has a CVSS score of 9.8 (CRITICAL). This is an unauthenticated remote code execution vulnerability in NETGEAR ProSAFE Network Management System. Attackers can upload malicious files and execute arbitrary code with SYSTEM privileges without needing credentials. All installations of NMS 1.6.0.26 are affected.

📋 TL;DR

This is an unauthenticated remote code execution vulnerability in NETGEAR ProSAFE Network Management System. Attackers can upload malicious files and execute arbitrary code with SYSTEM privileges without needing credentials. All installations of NMS 1.6.0.26 are affected.

💻 Affected Systems

Products:

NETGEAR ProSAFE Network Management System (NMS300)

Versions: Version 1.6.0.26

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the MFileUploadController class which handles file uploads without proper path validation.

📦 What is this software?

Prosafe Network Management System by Netgear

View all CVEs affecting Prosafe Network Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, allowing attackers to install malware, steal data, pivot to other systems, or disrupt operations.

🟠

Likely Case

Attackers deploy ransomware, cryptocurrency miners, or backdoors to maintain persistent access to the network.

🟢

If Mitigated

If properly segmented and monitored, impact limited to the NMS server with potential for lateral movement detection.

🌐 Internet-Facing: HIGH - No authentication required and exploit complexity is low, making internet-facing instances prime targets.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

ZDI published detailed advisory with exploitation details. The vulnerability is actively exploited in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.7.0.5 or later

Vendor Advisory: https://kb.netgear.com/000062688/Security-Advisory-for-Pre-Authentication-Command-Injection-on-NMS300-PSV-2020-0560

Restart Required: Yes

Instructions:

1. Download the latest NMS software from NETGEAR support site. 2. Backup current configuration. 3. Run the installer to upgrade to version 1.7.0.5 or later. 4. Restart the NMS service.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate NMS server from internet and restrict access to trusted management networks only.

Firewall Rules

all

Block external access to NMS web interface ports (typically 80/443) at network perimeter.

🧯 If You Can't Patch

Immediately take the NMS server offline and use alternative management methods
Implement strict network segmentation and monitor all traffic to/from the NMS server

🔍 How to Verify

Check if Vulnerable:

Check NMS version in web interface under Help > About. If version is 1.6.0.26, system is vulnerable.

Check Version:

Check web interface or examine installed program version in Windows Programs and Features

Verify Fix Applied:

Verify version is 1.7.0.5 or later in Help > About menu.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to MFileUploadController endpoint
Unexpected SYSTEM privilege processes spawning
Failed authentication attempts followed by successful file uploads

Network Indicators:

HTTP POST requests to /MFileUploadController with suspicious file extensions
Outbound connections from NMS server to unknown external IPs

SIEM Query:

source="NMS_logs" AND (uri="/MFileUploadController" OR process="cmd.exe" OR process="powershell.exe")

📊 Metadata

CVE ID: CVE-2021-27274

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: March 29, 2021

Last Updated: November 21, 2024

🔗 References

https://kb.netgear.com/000062688/Security-Advisory-for-Pre-Authentication-Command-Injection-on-NMS300-PSV-2020-0560 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-357/ Third Party Advisory,VDB Entry
https://kb.netgear.com/000062688/Security-Advisory-for-Pre-Authentication-Command-Injection-on-NMS300-PSV-2020-0560 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-357/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27274, you might also want to check these: