CVE-2021-45520
📋 TL;DR
This vulnerability involves hardcoded credentials in certain NETGEAR Orbi WiFi systems, allowing attackers to gain administrative access to affected devices. It affects NETGEAR RBK352, RBR350, and RBS350 devices running firmware versions before 4.4.0.10. Attackers could exploit this to take full control of vulnerable devices.
💻 Affected Systems
- NETGEAR RBK352
- NETGEAR RBR350
- NETGEAR RBS350
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the WiFi system, allowing attackers to intercept all network traffic, deploy malware to connected devices, pivot to internal networks, and maintain persistent access.
Likely Case
Unauthorized administrative access to the router/mesh system, enabling network configuration changes, DNS hijacking, and credential theft from connected devices.
If Mitigated
Limited impact if devices are behind firewalls, not internet-facing, and network segmentation prevents lateral movement from compromised devices.
🎯 Exploit Status
Hardcoded credential vulnerabilities are trivial to exploit once the credentials are known. No authentication required for exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.4.0.10 or later
Vendor Advisory: https://kb.netgear.com/000064151/Security-Advisory-for-Hardcoded-Password-on-Some-WiFi-Systems-PSV-2021-0012
Restart Required: Yes
Instructions:
1. Log into router admin interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install firmware version 4.4.0.10 or later. 4. Reboot the device after update completes.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected devices from critical network segments to limit potential damage if compromised.
Disable Remote Management
allTurn off remote administration features to prevent internet-based attacks.
🧯 If You Can't Patch
- Replace affected devices with non-vulnerable models or different vendor products
- Implement strict network access controls and monitor for suspicious administrative access attempts
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router admin interface under Advanced > Administration > Firmware Update. If version is below 4.4.0.10, device is vulnerable.Check Version:
No CLI command available. Must check via web interface at http://orbilogin.com or device IP address.Verify Fix Applied:
Confirm firmware version is 4.4.0.10 or higher in admin interface. Test that default/hardcoded credentials no longer provide access.📡 Detection & Monitoring
Log Indicators:
- Failed login attempts followed by successful login with unusual timing
- Configuration changes from unexpected IP addresses
- Administrative access from unauthorized locations
Network Indicators:
- Unusual administrative traffic to router management interface
- DNS configuration changes
- Port scanning originating from router
SIEM Query:
source="router_logs" AND (event="login_success" AND user="admin" AND NOT src_ip IN [authorized_admin_ips])