CVE-2021-29078
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary commands on affected NETGEAR WiFi systems. It affects multiple Orbi mesh WiFi router models running firmware versions before 3.2.17.12. Attackers can exploit this without any authentication, potentially gaining full control of the device.
💻 Affected Systems
- NETGEAR RBK852
- NETGEAR RBK853
- NETGEAR RBK854
- NETGEAR RBR850
- NETGEAR RBS850
- NETGEAR RBK752
- NETGEAR RBK753
- NETGEAR RBK753S
- NETGEAR RBK754
- NETGEAR RBR750
- NETGEAR RBS750
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to install persistent malware, intercept all network traffic, pivot to internal networks, or use the device as part of a botnet.
Likely Case
Attackers gain remote shell access to the router, enabling them to modify network settings, intercept traffic, or use the device for further attacks.
If Mitigated
With proper network segmentation and firewall rules, impact is limited to the compromised device only, preventing lateral movement.
🎯 Exploit Status
The vulnerability is in the SOAP API endpoint and requires sending specially crafted HTTP requests. Public exploit code exists and is relatively simple to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.17.12 or later
Vendor Advisory: https://kb.netgear.com/000063009/Security-Advisory-for-Pre-Authentication-Command-Injection-on-Some-WiFi-Systems-PSV-2020-0511
Restart Required: Yes
Instructions:
1. Log into the router web interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install firmware version 3.2.17.12 or later. 4. The router will automatically reboot after installation.
🔧 Temporary Workarounds
Disable Remote Management
allDisable remote management/administration features to prevent external exploitation.
Network Segmentation
allPlace affected routers behind a firewall that blocks external access to management interfaces.
🧯 If You Can't Patch
- Replace affected devices with patched models or alternative vendors
- Implement strict network access controls to limit exposure to the management interface
🔍 How to Verify
Check if Vulnerable:
Check current firmware version via router web interface: Advanced > Administration > Firmware UpdateCheck Version:
Check web interface or use: curl -s http://router-ip/currentsetting.htm | grep FirmwareVerify Fix Applied:
Verify firmware version is 3.2.17.12 or later in the router web interface📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP POST requests to SOAP endpoints
- Multiple failed authentication attempts followed by successful command execution
- Unexpected system processes or services running
Network Indicators:
- HTTP requests containing shell metacharacters or command injection patterns
- Unusual outbound connections from router to external IPs
- Port scanning or attack traffic originating from router
SIEM Query:
source="router-logs" AND (url="*soap*" AND (method="POST" AND (content="*;*" OR content="*|*" OR content="*`*" OR content="*$(*")))