CVE-2021-45547
📋 TL;DR
This vulnerability allows authenticated users to execute arbitrary commands on affected NETGEAR routers and WiFi systems through command injection. It affects multiple NETGEAR router models running outdated firmware versions, potentially allowing attackers with valid credentials to gain full control of the device.
💻 Affected Systems
- NETGEAR R7850
- R7900P
- R7960P
- R8000
- R8000P
- RAX200
- RAX75
- RAX80
- RBK752
- RBK852
- RBR750
- RBR850
- RBS750
- RBS850
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with valid credentials could gain complete control of the router, intercept all network traffic, deploy malware to connected devices, or use the router as a pivot point into the internal network.
Likely Case
An authenticated malicious insider or an attacker who has obtained valid credentials could execute arbitrary commands to modify router settings, steal credentials, or disrupt network services.
If Mitigated
With proper access controls, strong authentication, and network segmentation, the impact is limited to the router itself rather than the entire network.
🎯 Exploit Status
Exploitation requires valid authentication credentials but command injection is typically straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: See specific version requirements in description (e.g., R7850 1.0.5.74 or later)
Vendor Advisory: https://kb.netgear.com/000064525/Security-Advisory-for-Post-Authentication-Command-Injection-on-Some-Routers-and-WiFi-Systems-PSV-2020-0567
Restart Required: Yes
Instructions:
1. Log into router admin interface. 2. Navigate to firmware update section. 3. Check for and install latest firmware. 4. Reboot router after update completes.
🔧 Temporary Workarounds
Change default credentials
allChange all default usernames and passwords to strong, unique credentials to prevent unauthorized authentication.
Restrict admin access
allLimit admin interface access to specific IP addresses or disable remote administration if not needed.
🧯 If You Can't Patch
- Implement network segmentation to isolate the router from critical systems
- Enable logging and monitoring for suspicious authentication attempts and command execution
🔍 How to Verify
Check if Vulnerable:
Check router firmware version against affected versions listed in the advisoryCheck Version:
Log into router admin interface and check firmware version in settingsVerify Fix Applied:
Verify firmware version has been updated to patched version listed in advisory📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts
- Unexpected command execution in router logs
- Configuration changes from unusual sources
Network Indicators:
- Unusual outbound connections from router
- Traffic redirection or DNS changes
SIEM Query:
source="router_logs" AND (event="authentication" AND result="success" FROM unusual_ip) OR (event="command_execution")