Login Sign Up

CVE-2021-33514

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary operating system commands on affected NETGEAR smart switches by injecting malicious commands through the User-Agent header in HTTP requests to a vulnerable CGI application. The attack exploits improper input sanitization in the libsal library and affects multiple NETGEAR smart switch models.

💻 Affected Systems

Products:
  • NETGEAR GC108P
  • NETGEAR GC108PP
  • NETGEAR GS108Tv3
  • NETGEAR GS110TPPv1
  • NETGEAR GS110TPv3
  • NETGEAR GS110TUPv1
  • NETGEAR GS710TUPv1
  • NETGEAR GS716TP
  • NETGEAR GS716TPP
  • NETGEAR GS724TPPv1
  • NETGEAR GS724TPv2
  • NETGEAR GS728TPPv2
  • NETGEAR GS728TPv2
  • NETGEAR GS752TPPv1
  • NETGEAR GS752TPv2
  • NETGEAR MS510TXM
  • NETGEAR MS510TXUP
Versions: Versions before: GC108P/GC108PP 1.0.7.3, GS108Tv3/GS110TPPv1/GS110TPv3 7.0.6.3, GS110TUPv1/GS710TUPv1 1.0.4.3, GS716TP/GS716TPP 1.0.2.3, GS724TPPv1/GS724TPv2 2.0.4.3, GS728TPPv2/GS728TPv2/GS752TPPv1/GS752TPv2 6.0.6.3, MS510TXM/MS510TXUP 1.0.2.3
Operating Systems: Embedded Linux-based firmware
Default Config Vulnerable: ⚠️ Yes
Notes: All affected devices with default configurations are vulnerable. The vulnerability is in the web management interface accessible via HTTP.

📦 What is this software?

Gc108p Firmware by Netgear

View all CVEs affecting Gc108p Firmware →

Gc108pp Firmware by Netgear

View all CVEs affecting Gc108pp Firmware →

Gs108t Firmware by Netgear

View all CVEs affecting Gs108t Firmware →

Gs110tp Firmware by Netgear

View all CVEs affecting Gs110tp Firmware →

Gs110tpp Firmware by Netgear

View all CVEs affecting Gs110tpp Firmware →

Gs110tup Firmware by Netgear

View all CVEs affecting Gs110tup Firmware →

Gs710tup Firmware by Netgear

View all CVEs affecting Gs710tup Firmware →

Gs716tp Firmware by Netgear

View all CVEs affecting Gs716tp Firmware →

Gs716tpp Firmware by Netgear

View all CVEs affecting Gs716tpp Firmware →

Gs724tp Firmware by Netgear

View all CVEs affecting Gs724tp Firmware →

Gs724tpp Firmware by Netgear

View all CVEs affecting Gs724tpp Firmware →

Gs728tp Firmware by Netgear

View all CVEs affecting Gs728tp Firmware →

Gs728tpp Firmware by Netgear

View all CVEs affecting Gs728tpp Firmware →

Gs752tp Firmware by Netgear

View all CVEs affecting Gs752tp Firmware →

Gs752tpp Firmware by Netgear

View all CVEs affecting Gs752tpp Firmware →

Ms510txm Firmware by Netgear

View all CVEs affecting Ms510txm Firmware →

Ms510txup Firmware by Netgear

View all CVEs affecting Ms510txup Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of affected switches allowing attackers to install persistent backdoors, pivot to internal networks, disrupt network operations, or use devices as part of botnets.

🟠

Likely Case

Attackers gain remote code execution to reconfigure switches, intercept network traffic, or disrupt network connectivity.

🟢

If Mitigated

With proper network segmentation and access controls, impact limited to isolated network segments.

🌐 Internet-Facing: HIGH - Exploitation requires no authentication and can be performed remotely via HTTP requests.
🏢 Internal Only: HIGH - Even internally, unauthenticated attackers on the same network segment can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept demonstrates exploitation via HTTP request with malicious User-Agent header to setup.cgi endpoint. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: GC108P/GC108PP: 1.0.7.3, GS108Tv3/GS110TPPv1/GS110TPv3: 7.0.6.3, GS110TUPv1/GS710TUPv1: 1.0.4.3, GS716TP/GS716TPP: 1.0.2.3, GS724TPPv1/GS724TPv2: 2.0.4.3, GS728TPPv2/GS728TPv2/GS752TPPv1/GS752TPv2: 6.0.6.3, MS510TXM/MS510TXUP: 1.0.2.3

Vendor Advisory: https://kb.netgear.com/000063641/Security-Advisory-for-Pre-Authentication-Command-Injection-Vulnerability-on-Some-Smart-Switches-PSV-2021-0071

Restart Required: Yes

Instructions:

1. Download firmware update from NETGEAR support site. 2. Log into switch web interface. 3. Navigate to Maintenance > Firmware Upgrade. 4. Upload firmware file. 5. Apply update and wait for automatic reboot.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected switches from untrusted networks and restrict access to management interfaces.

Access Control Lists

linux

Implement firewall rules to restrict HTTP/HTTPS access to switch management interfaces to trusted IP addresses only.

iptables -A INPUT -p tcp --dport 80 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

  • Disable web management interface if not required
  • Place switches behind VPN or jump host with strict access controls

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface (System > Information) or SSH (show version) and compare with patched versions listed in advisory.

Check Version:

ssh admin@switch_ip 'show version' or check web interface System > Information page

Verify Fix Applied:

Verify firmware version matches or exceeds patched version. Test with known exploit payloads to confirm they no longer work.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /setup.cgi with unusual User-Agent strings containing shell metacharacters
  • Multiple failed login attempts followed by successful command execution patterns
  • Unusual process execution in switch logs

Network Indicators:

  • HTTP requests with User-Agent containing ;, $, |, &, or other shell metacharacters
  • Rapid sequential requests to setup.cgi endpoint
  • Outbound connections from switches to unexpected destinations

SIEM Query:

source="switch_logs" AND (uri="/setup.cgi" AND user_agent="*;*" OR user_agent="*$*" OR user_agent="*|*" OR user_agent="*&*")

📊 Metadata

CVE ID: CVE-2021-33514
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: May 21, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33514, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)