CVE-2021-45549
📋 TL;DR
This vulnerability allows authenticated users to execute arbitrary commands on affected NETGEAR routers, extenders, and WiFi systems. Attackers with valid credentials can inject malicious commands through vulnerable interfaces, potentially gaining full control of the device. The vulnerability affects numerous NETGEAR models with specific firmware versions.
💻 Affected Systems
- NETGEAR LAX20
- MK62
- MR60
- MS60
- R6400v2
- R6700v3
- R6900P
- R7000
- R7000P
- R7850
- R7900
- R7900P
- R7960P
- R8000
- R8000P
- RAX15
- RAX20
- RAX200
- RAX35v2
- RAX40v2
- RAX43
- RAX45
- RAX50
- RAX75
- RAX80
- RS400
- XR1000
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full device compromise allowing attacker to intercept all network traffic, install persistent backdoors, pivot to internal networks, and use device as part of botnet.
Likely Case
Local network compromise where attacker gains control of router to intercept traffic, modify DNS settings, or disable security features.
If Mitigated
Limited impact if strong authentication controls prevent unauthorized access and network segmentation isolates the device.
🎯 Exploit Status
Exploitation requires valid credentials but command injection vulnerabilities are typically easy to weaponize once authentication is bypassed or obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Varies by model (e.g., LAX20 1.1.6.28, R7000 1.0.11.116, RAX50 1.0.3.96)
Vendor Advisory: https://kb.netgear.com/000064513/Security-Advisory-for-Post-Authentication-Command-Injection-on-Some-Routers-Extenders-and-WiFi-Systems-PSV-2020-0517
Restart Required: Yes
Instructions:
1. Log into NETGEAR router web interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and apply latest firmware. 4. Reboot device after update completes.
🔧 Temporary Workarounds
Disable remote management
allPrevent external access to router administration interface
Implement strong authentication
allUse complex passwords and enable multi-factor authentication if available
🧯 If You Can't Patch
- Segment network to isolate router management interface
- Implement strict access controls limiting who can authenticate to router
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router web interface under Advanced > Administration > Firmware Update and compare with patched versions in advisory.Check Version:
Login to router web interface and navigate to Advanced > Administration > Firmware Update to view current version.Verify Fix Applied:
Confirm firmware version matches or exceeds patched version listed in NETGEAR security advisory.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in system logs
- Multiple failed authentication attempts followed by successful login
- Unexpected process execution or configuration changes
Network Indicators:
- Unusual outbound connections from router
- DNS configuration changes
- Unexpected port openings on router
SIEM Query:
source="router_logs" AND (command="*;*" OR command="*|*" OR command="*`*" OR command="*$(*)")