CVE-2021-45535
📋 TL;DR
This vulnerability allows authenticated users on certain NETGEAR routers and WiFi systems to execute arbitrary commands through command injection. It affects multiple NETGEAR models including RAX200, RAX80, RAX75, RBK752, RBR750, RBS750, RBK852, RBR850, and RBS850. Attackers with valid credentials can exploit this to gain elevated privileges on the device.
💻 Affected Systems
- NETGEAR RAX200
- NETGEAR RAX80
- NETGEAR RAX75
- NETGEAR RBK752
- NETGEAR RBR750
- NETGEAR RBS750
- NETGEAR RBK852
- NETGEAR RBR850
- NETGEAR RBS850
📦 What is this software?
Rbk752 by Netgear
⚠️ Risk & Real-World Impact
Worst Case
Full device compromise allowing attacker to install persistent malware, intercept all network traffic, pivot to internal networks, or brick the device.
Likely Case
Attacker with valid credentials gains root access to the router, enabling traffic interception, DNS hijacking, and network reconnaissance.
If Mitigated
Limited impact if strong authentication controls prevent unauthorized access and network segmentation isolates the router.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. No public exploit code is known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: RAX200/RAX80/RAX75: 1.0.3.106 or later; RBK752/RBR750/RBS750/RBK852/RBR850/RBS850: 3.2.16.6 or later
Vendor Advisory: https://kb.netgear.com/000064457/Security-Advisory-for-Post-Authentication-Command-Injection-on-Some-Routers-and-WiFi-Systems-PSV-2020-0052
Restart Required: Yes
Instructions:
1. Log into router admin interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install latest firmware. 4. Reboot router after update completes.
🔧 Temporary Workarounds
Change default credentials
allChange all default passwords and use strong, unique credentials for router admin access.
Disable remote management
allDisable remote administration features to prevent external access to admin interface.
🧯 If You Can't Patch
- Implement network segmentation to isolate router management interface
- Enable logging and monitor for suspicious authentication attempts
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router admin interface under Advanced > Administration > Firmware UpdateCheck Version:
Check via web interface or SSH if enabled: cat /etc/versionVerify Fix Applied:
Verify firmware version is at or above patched versions: RAX200/RAX80/RAX75 >= 1.0.3.106; RBK752/RBR750/RBS750/RBK852/RBR850/RBS850 >= 3.2.16.6📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in system logs
- Multiple failed authentication attempts followed by successful login
- Suspicious process execution
Network Indicators:
- Unusual outbound connections from router
- DNS queries to malicious domains from router
- Unexpected network configuration changes
SIEM Query:
source="router_logs" AND (event_type="command_execution" OR auth_success="true" AND user!="admin")