CVE-2021-45545
📋 TL;DR
This vulnerability allows authenticated users to execute arbitrary commands on affected NETGEAR routers and WiFi systems through command injection. Attackers with valid credentials can gain elevated privileges and potentially take full control of the device. The vulnerability affects multiple NETGEAR router models with specific firmware versions.
💻 Affected Systems
- NETGEAR R7850
- NETGEAR R7900P
- NETGEAR R7960P
- NETGEAR R8000
- NETGEAR R8000P
- NETGEAR RAX200
- NETGEAR RAX75
- NETGEAR RAX80
- NETGEAR RBK852
- NETGEAR RBR850
- NETGEAR RBS850
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the router allowing attackers to intercept all network traffic, install persistent malware, pivot to internal network devices, and use the router as a botnet node.
Likely Case
Unauthorized configuration changes, network traffic interception, credential theft from connected devices, and installation of backdoors.
If Mitigated
Limited to authenticated attackers only; proper network segmentation and monitoring could contain damage to the router itself.
🎯 Exploit Status
Exploitation requires valid credentials but is straightforward once authenticated. Command injection vulnerabilities are commonly weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: R7850: 1.0.5.74+, R7900P/R7960P/R8000P: 1.4.2.84+, R8000: 1.0.4.74+, RAX200/RAX75/RAX80: 1.0.4.120+, RBK852/RBR850/RBS850: 3.2.17.12+
Vendor Advisory: https://kb.netgear.com/000064522/Security-Advisory-for-Post-Authentication-Command-Injection-on-Some-Routers-and-WiFi-Systems-PSV-2020-0557
Restart Required: Yes
Instructions:
1. Log into router admin interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install latest firmware. 4. Reboot router after update completes.
🔧 Temporary Workarounds
Change Default Credentials
allChange all default admin passwords to strong, unique passwords to reduce attack surface.
Disable Remote Management
allDisable WAN-side administration to prevent external attackers from accessing admin interface.
🧯 If You Can't Patch
- Segment affected routers from critical internal networks using VLANs or separate physical networks
- Implement strict firewall rules limiting router management interface access to specific trusted IP addresses only
🔍 How to Verify
Check if Vulnerable:
Check current firmware version in router admin interface under Advanced > Administration > Firmware Update and compare with patched versions.Check Version:
Log into router web interface and navigate to Advanced > Administration > Firmware Update to view current versionVerify Fix Applied:
Confirm firmware version matches or exceeds patched versions listed in vendor advisory.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in router logs
- Multiple failed login attempts followed by successful login
- Unexpected configuration changes
Network Indicators:
- Unusual outbound connections from router
- DNS queries to suspicious domains from router
- Unexpected port scans originating from router
SIEM Query:
source="router_logs" AND (event_type="command_execution" OR event_type="config_change") AND user!="admin"