Login Sign Up

CVE-2021-29065

9.6 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2021-29065 is an authentication bypass vulnerability in NETGEAR RBR850 routers that allows attackers to gain unauthorized access to the device's administrative interface without valid credentials. This affects all NETGEAR RBR850 devices running firmware versions before 3.2.10.11. Attackers can exploit this to take full control of the router.

💻 Affected Systems

Products:
  • NETGEAR RBR850
Versions: All firmware versions before 3.2.10.11
Operating Systems: NETGEAR proprietary firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the router's web administration interface. No special configuration required for exploitation.

📦 What is this software?

Rbr850 Firmware by Netgear

View all CVEs affecting Rbr850 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept all network traffic, modify DNS settings, install malware, and pivot to internal network devices.

🟠

Likely Case

Unauthorized access to router configuration, enabling attackers to change network settings, monitor traffic, or disable security features.

🟢

If Mitigated

Limited impact if router is behind firewall with restricted WAN access and strong network segmentation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, making them directly accessible to attackers.
🏢 Internal Only: MEDIUM - Internal attackers could exploit if they gain network access, but requires local network presence.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Authentication bypass typically requires minimal technical skill. Public exploit details exist in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.10.11 and later

Vendor Advisory: https://kb.netgear.com/000063006/Security-Advisory-for-Authentication-Bypass-on-RBR850-PSV-2020-0029

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install version 3.2.10.11 or later. 4. Router will automatically restart after update.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevents external attackers from accessing the admin interface over the internet

Network Segmentation

all

Place router on isolated management network with restricted access

🧯 If You Can't Patch

  • Replace affected device with patched model or different vendor
  • Implement strict network access controls to limit who can reach the router's admin interface

🔍 How to Verify

Check if Vulnerable:

Check current firmware version in router admin interface under Advanced > Administration > Firmware Update

Check Version:

No CLI command - check via web interface at http://routerlogin.net or router IP

Verify Fix Applied:

Confirm firmware version is 3.2.10.11 or later in the same location

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to admin interface
  • Successful logins from unexpected IP addresses
  • Configuration changes without proper authentication

Network Indicators:

  • HTTP requests to router admin interface from external IPs
  • Unusual traffic patterns to router management ports

SIEM Query:

source="router" AND (event="login_success" OR event="config_change") AND user="unknown" OR src_ip NOT IN [allowed_management_ips]

📊 Metadata

CVE ID: CVE-2021-29065
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Published: March 23, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON