CVE-2021-29080
📋 TL;DR
This vulnerability allows unauthenticated attackers to reset passwords on affected NETGEAR routers and WiFi systems. Attackers can gain administrative access without credentials, compromising network security. Users with specific NETGEAR models running outdated firmware are affected.
💻 Affected Systems
- NETGEAR RBK852
- NETGEAR RBK853
- NETGEAR RBR854
- NETGEAR RBR850
- NETGEAR RBS850
- NETGEAR CBR40
- NETGEAR R7000
- NETGEAR R6900P
- NETGEAR R7900
- NETGEAR R7960P
- NETGEAR R8000
- NETGEAR R7900P
- NETGEAR R8000P
- NETGEAR RAX75
- NETGEAR RAX80
- NETGEAR R7000P
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete network compromise where attacker gains administrative control, intercepts all traffic, deploys malware, and uses the device as a pivot point for further attacks.
Likely Case
Unauthorized administrative access leading to network configuration changes, DNS hijacking, credential theft, and potential lateral movement to connected devices.
If Mitigated
Limited impact if device is not internet-facing and network segmentation prevents lateral movement, though local network attacks remain possible.
🎯 Exploit Status
Exploitation requires sending specific HTTP requests to the device's web interface. Public proof-of-concept code exists, making attacks easy to automate.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: RBK852/RBK853/RBR854/RBR850/RBS850: 3.2.10.11 or later, CBR40: 2.5.0.10 or later, R7000: 1.0.11.116 or later, R6900P/R7000P: 1.3.2.126 or later, R7900: 1.0.4.38 or later, R7960P/R7900P/R8000P: 1.4.1.66 or later, R8000: 1.0.4.66 or later, RAX75/RAX80: 1.0.3.102 or later
Vendor Advisory: https://kb.netgear.com/000063007/Security-Advisory-for-Pre-authentication-Password-Reset-on-Some-Routers-and-WiFi-Systems-PSV-2019-0150
Restart Required: Yes
Instructions:
1. Log into router web interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and apply if available. 4. If no update appears, download firmware from NETGEAR support site. 5. Upload and install manually. 6. Reboot device after installation.
🔧 Temporary Workarounds
Disable Remote Management
allPrevents external attackers from accessing the web interface by disabling remote administration features.
Network Segmentation
allIsolate affected devices on separate VLANs to limit attack surface and prevent lateral movement.
🧯 If You Can't Patch
- Replace affected devices with patched models or different vendors
- Implement strict firewall rules blocking all inbound traffic to the router's management interface
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router web interface under Advanced > Administration > Firmware Update and compare with patched versions listed in advisory.Check Version:
No CLI command; check via web interface at Advanced > Administration > Firmware Update or Router Status page.Verify Fix Applied:
Confirm firmware version matches or exceeds patched versions listed in advisory. Test password reset functionality requires authentication.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful password reset
- Unusual HTTP POST requests to password reset endpoints from unauthenticated sources
- Administrative password change logs from unexpected IP addresses
Network Indicators:
- HTTP traffic to router management interface on port 80/443 from external IPs
- Unusual patterns of requests to /password.cgi or similar reset endpoints
SIEM Query:
source="router_logs" AND (url="*password*" OR action="password_reset") AND src_ip NOT IN [authorized_admin_ips]