CVE-2021-45537 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2021-45537?

CVE-2021-45537 has a CVSS score of 8.4 (HIGH). This vulnerability allows authenticated attackers to execute arbitrary commands on affected NETGEAR routers and WiFi systems. It affects multiple NETGEAR models including RAX200, RAX75, RAX80, RBK752, RBR750, RBS750, RBK852, RBR850, and RBS850. Attackers must first authenticate to the device's web interface before exploiting the command injection flaw.

📋 TL;DR

This vulnerability allows authenticated attackers to execute arbitrary commands on affected NETGEAR routers and WiFi systems. It affects multiple NETGEAR models including RAX200, RAX75, RAX80, RBK752, RBR750, RBS750, RBK852, RBR850, and RBS850. Attackers must first authenticate to the device's web interface before exploiting the command injection flaw.

💻 Affected Systems

Products:

NETGEAR RAX200
NETGEAR RAX75
NETGEAR RAX80
NETGEAR RBK752
NETGEAR RBR750
NETGEAR RBS750
NETGEAR RBK852
NETGEAR RBR850
NETGEAR RBS850

Versions: RAX200, RAX75, RAX80 before 1.0.3.106; RBK752, RBR750, RBS750, RBK852, RBR850, RBS850 before 3.2.16.6

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All affected devices running vulnerable firmware versions are vulnerable by default. The vulnerability requires authentication but many devices use default credentials.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent backdoors, intercept network traffic, pivot to internal networks, or use the device as part of a botnet.

🟠

Likely Case

Local network compromise where attackers gain control of the router to modify DNS settings, intercept traffic, or launch attacks against internal devices.

🟢

If Mitigated

Limited impact if strong authentication is used and network segmentation isolates the router management interface.

🌐 Internet-Facing: MEDIUM - While the exploit requires authentication, many home/small business routers have management interfaces exposed to the internet with weak credentials.

🏢 Internal Only: HIGH - Once an attacker gains access to the local network (via phishing, malware, or physical access), they can exploit this vulnerability to take full control of the router.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to the web interface. The vulnerability is in the command injection mechanism (CWE-77) which typically involves injecting shell commands through web parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: RAX200, RAX75, RAX80: 1.0.3.106 or later; RBK752, RBR750, RBS750, RBK852, RBR850, RBS850: 3.2.16.6 or later

Vendor Advisory: https://kb.netgear.com/000064083/Security-Advisory-for-Post-Authentication-Command-Injection-on-Some-Routers-and-WiFi-Systems-PSV-2020-0061

Restart Required: Yes

Instructions:

1. Log into NETGEAR router web interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install if available. 4. Alternatively, download firmware from NETGEAR support site and manually upload. 5. Reboot device after update.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to router management interface

Change default credentials

all

Use strong, unique passwords for router admin access

🧯 If You Can't Patch

Isolate router management interface to trusted network segments only
Implement network monitoring for suspicious router configuration changes

🔍 How to Verify

Check if Vulnerable:

Log into router web interface and check firmware version under Advanced > Administration > Firmware Update

Check Version:

Check via web interface or use curl: curl -u admin:password http://router_ip/currentsetting.htm | grep firmware

Verify Fix Applied:

Confirm firmware version is RAX models: 1.0.3.106 or higher, Orbi models: 3.2.16.6 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in router logs
Multiple failed login attempts followed by configuration changes
Unexpected firmware or configuration modifications

Network Indicators:

Unusual outbound connections from router
DNS configuration changes
New port openings on router

SIEM Query:

source="router_logs" AND ("command injection" OR "shell" OR "exec" OR suspicious configuration changes)

📊 Metadata

CVE ID: CVE-2021-45537

CVSS v3 Score: 8.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-77

Published: December 26, 2021

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45537, you might also want to check these: