Login Sign Up

CVE-2021-29076

9.6 CRITICAL
Remote Code Execution Authentication Bypass

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary commands on affected NETGEAR WiFi systems. It affects RBK852, RBK853, RBK854, RBR850, and RBS850 devices running firmware versions before 3.2.17.12. Attackers can exploit this without any authentication, potentially gaining full control of the device.

💻 Affected Systems

Products:
  • NETGEAR RBK852
  • NETGEAR RBK853
  • NETGEAR RBK854
  • NETGEAR RBR850
  • NETGEAR RBS850
Versions: All versions before 3.2.17.12
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects both router (RBR) and satellite (RBS) units in the Orbi WiFi 6 systems. No special configuration required for exploitation.

📦 What is this software?

Rbk852 Firmware by Netgear

View all CVEs affecting Rbk852 Firmware →

Rbk853 Firmware by Netgear

View all CVEs affecting Rbk853 Firmware →

Rbk854 Firmware by Netgear

View all CVEs affecting Rbk854 Firmware →

Rbr850 Firmware by Netgear

View all CVEs affecting Rbr850 Firmware →

Rbs850 Firmware by Netgear

View all CVEs affecting Rbs850 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to network infiltration, data exfiltration, ransomware deployment, or use as a pivot point for attacking other internal systems.

🟠

Likely Case

Device takeover enabling network traffic interception, credential theft, installation of persistent backdoors, or participation in botnets.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation prevents lateral movement.

🌐 Internet-Facing: HIGH - Directly accessible devices can be exploited by any internet-based attacker without authentication.
🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this, but requires network access to the device.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available. The pre-authentication nature and high CVSS score make this attractive for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.17.12 or later

Vendor Advisory: https://kb.netgear.com/000063015/Security-Advisory-for-Pre-Authentication-Command-Injection-on-Some-WiFi-Systems-PSV-2020-0485

Restart Required: Yes

Instructions:

1. Log into NETGEAR Orbi web interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install version 3.2.17.12 or newer. 4. Reboot the device after installation completes.

🔧 Temporary Workarounds

Network Segmentation

all

Place affected devices in isolated network segments with strict firewall rules limiting inbound access.

Access Control Lists

all

Implement ACLs to restrict management interface access to trusted IP addresses only.

🧯 If You Can't Patch

  • Disable remote management and WAN-side administration interfaces
  • Implement network monitoring for suspicious command execution patterns on these devices

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface: Advanced > Administration > Firmware Update. If version is below 3.2.17.12, device is vulnerable.

Check Version:

No CLI command available. Use web interface at Advanced > Administration > Firmware Update.

Verify Fix Applied:

Confirm firmware version is 3.2.17.12 or higher in the same interface. Test that command injection attempts are blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution in system logs
  • Multiple failed authentication attempts followed by successful command execution
  • Suspicious process creation

Network Indicators:

  • Unexpected outbound connections from the device
  • Traffic to known malicious IPs
  • Anomalous HTTP requests to management interface

SIEM Query:

source="netgear_orbi" AND (event_type="command_execution" OR process_name="sh" OR process_name="bash")

📊 Metadata

CVE ID: CVE-2021-29076
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-77
Published: March 23, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29076, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)