CVE-2021-45551

7.6 HIGH

Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated users on affected NETGEAR routers to execute arbitrary commands through command injection. Attackers with valid credentials can potentially gain full control of the device. It impacts multiple NETGEAR router models running outdated firmware versions.

💻 Affected Systems

Products:

• NETGEAR D6200
• D7000
• R6020
• R6080
• R6050
• JR6150
• R6120
• R6220
• R6230
• R6260
• R6800
• R6700v2
• R6900v2
• R7450
• AC2100
• AC2400
• AC2600
• WNR2020

Versions: Versions before those specified in the CVE description (e.g., D6200 before 1.1.00.40)

Operating Systems: Router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access, but many routers use default credentials that are commonly known.

📦 What is this software?

Ac2100 Firmware by Netgear

View all CVEs affecting Ac2100 Firmware →

Ac2400 Firmware by Netgear

View all CVEs affecting Ac2400 Firmware →

Ac2600 Firmware by Netgear

View all CVEs affecting Ac2600 Firmware →

D6200 Firmware by Netgear

View all CVEs affecting D6200 Firmware →

D7000 Firmware by Netgear

View all CVEs affecting D7000 Firmware →

Jr6150 Firmware by Netgear

View all CVEs affecting Jr6150 Firmware →

R6020 Firmware by Netgear

View all CVEs affecting R6020 Firmware →

R6050 Firmware by Netgear

View all CVEs affecting R6050 Firmware →

R6080 Firmware by Netgear

View all CVEs affecting R6080 Firmware →

R6120 Firmware by Netgear

View all CVEs affecting R6120 Firmware →

R6220 Firmware by Netgear

View all CVEs affecting R6220 Firmware →

R6230 Firmware by Netgear

View all CVEs affecting R6230 Firmware →

R6260 Firmware by Netgear

View all CVEs affecting R6260 Firmware →

R6700v2 Firmware by Netgear

View all CVEs affecting R6700v2 Firmware →

R6800 Firmware by Netgear

View all CVEs affecting R6800 Firmware →

R6900v2 Firmware by Netgear

View all CVEs affecting R6900v2 Firmware →

R7450 Firmware by Netgear

View all CVEs affecting R7450 Firmware →

Wnr2020 Firmware by Netgear

View all CVEs affecting Wnr2020 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept traffic, modify DNS settings, install persistent malware, and pivot to internal networks.

🟠

Likely Case

Unauthorized configuration changes, credential theft, and installation of backdoors by attackers with stolen or default credentials.

🟢

If Mitigated

Limited impact if strong authentication is enforced and network segmentation isolates routers from critical systems.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices that can be targeted remotely by authenticated attackers.

🏢 Internal Only: MEDIUM - Internal attackers with credentials could exploit this, but requires authentication first.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication but is straightforward once credentials are obtained. Public exploit code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Minimum versions specified in CVE description (e.g., D6200 1.1.00.40 or later)

Vendor Advisory: https://kb.netgear.com/000064056/Security-Advisory-for-Post-Authentication-Command-Injection-on-Some-Routers-PSV-2019-0022

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to firmware update section. 3. Download latest firmware from NETGEAR support site. 4. Upload and install firmware. 5. Reboot router after installation.

🔧 Temporary Workarounds

Change default credentials

all

Change router admin password from default to strong, unique password

Disable remote administration

all

Turn off remote management features to prevent external access

🧯 If You Can't Patch

• Isolate router on separate VLAN with strict firewall rules
• Implement network monitoring for suspicious router configuration changes

🔍 How to Verify

Check if Vulnerable:

Copy

Check router firmware version in admin interface and compare against patched versions listed in CVE

Check Version:

Copy

Log into router web interface and check firmware version in settings

Verify Fix Applied:

Copy

Confirm firmware version matches or exceeds minimum patched version specified in CVE

📡 Detection & Monitoring

Log Indicators:

• Unusual configuration changes in router logs
• Multiple failed login attempts followed by successful login

Network Indicators:

• Unexpected outbound connections from router
• DNS hijacking or unusual DNS queries

SIEM Query:

Copy

source="router_logs" AND (event="configuration_change" OR event="firmware_update")

📊 Metadata

CVE ID: CVE-2021-45551

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CWE: CWE-77

Published: December 26, 2021

Last Updated: November 21, 2024

🔗 References

• https://kb.netgear.com/000064056/Security-Advisory-for-Post-Authentication-Command-Injection-on-Some-Routers-PSV-2019-0022 Patch,Vendor Advisory
• https://kb.netgear.com/000064056/Security-Advisory-for-Post-Authentication-Command-Injection-on-Some-Routers-PSV-2019-0022 Patch,Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45551, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)

CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)

CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)