CVE-2021-35973
📋 TL;DR
This vulnerability allows unauthenticated attackers to bypass authentication on NETGEAR WAC104 wireless access points by adding a specific substring to HTTP queries. Attackers can change the web UI password, enable debug mode with telnet access, and gain shell access as admin, with easy privilege escalation to root due to weak permissions. All NETGEAR WAC104 devices running firmware versions before 1.0.4.15 are affected.
💻 Affected Systems
- NETGEAR WAC104 Wireless Access Point
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise with root access, allowing attackers to intercept network traffic, install persistent malware, pivot to other network devices, and maintain persistent access even after password changes.
Likely Case
Unauthenticated attackers gain admin shell access, change device passwords, enable telnet for persistent access, and potentially intercept or manipulate network traffic passing through the access point.
If Mitigated
If patched or properly segmented, impact is limited to the device itself without network-wide compromise, though local network access could still be affected.
🎯 Exploit Status
Exploitation requires only HTTP access to the device's web interface and adding ¤tsetting.htm to any query parameter. No authentication or special tools required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.4.15
Vendor Advisory: https://kb.netgear.com/000063785/Security-Advisory-for-Authentication-Bypass-on-WAC104-PSV-2021-0075
Restart Required: Yes
Instructions:
1. Log into the WAC104 web interface as admin. 2. Navigate to Maintenance > Firmware Upgrade. 3. Download firmware version 1.0.4.15 from NETGEAR support site. 4. Upload and install the firmware. 5. Device will reboot automatically.
🔧 Temporary Workarounds
Disable Web Management Interface
allDisable the web management interface if not needed for administration
Not applicable - use web interface settings
Network Segmentation
allPlace WAC104 on isolated management VLAN with strict access controls
Not applicable - network configuration required
🧯 If You Can't Patch
- Isolate the WAC104 on a separate VLAN with strict firewall rules limiting access to trusted management IPs only
- Disable remote management and ensure web interface is only accessible from internal trusted networks
🔍 How to Verify
Check if Vulnerable:
Check firmware version in web interface under Maintenance > Router Status. If version is below 1.0.4.15, device is vulnerable.Check Version:
Not applicable - use web interface or check via HTTP request to device management pageVerify Fix Applied:
Verify firmware version shows 1.0.4.15 or higher in Maintenance > Router Status after update.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing ¤tsetting.htm parameter
- Multiple failed authentication attempts followed by successful admin actions
- Telnet service activation logs
Network Indicators:
- HTTP requests to device management interface with unusual query parameters
- Telnet connections to device on port 23 from unexpected sources
- Password change requests without prior authentication
SIEM Query:
http.url:*currentsetting.htm* OR event.action:"password change" AND NOT auth.success:true