Login Sign Up

CVE-2021-45553

8.7 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated attackers to execute arbitrary commands on affected NETGEAR routers. It affects R7000, R6900P, and R7000P models running outdated firmware versions. Attackers must have valid credentials to exploit this command injection flaw.

💻 Affected Systems

Products:
  • NETGEAR R7000
  • NETGEAR R6900P
  • NETGEAR R7000P
Versions: R7000 before 1.0.11.126, R6900P before 1.3.2.126, R7000P before 1.3.2.126
Operating Systems: Router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to the router's web interface or API. Default admin credentials increase risk.

📦 What is this software?

R6900p Firmware by Netgear

View all CVEs affecting R6900p Firmware →

R7000 Firmware by Netgear

View all CVEs affecting R7000 Firmware →

R7000p Firmware by Netgear

View all CVEs affecting R7000p Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing attackers to intercept all network traffic, install persistent malware, pivot to internal networks, and disable security features.

🟠

Likely Case

Router takeover enabling traffic monitoring, DNS hijacking, credential theft, and installation of backdoors for future access.

🟢

If Mitigated

Limited impact if strong authentication controls, network segmentation, and monitoring are in place to detect unusual authenticated activity.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires valid credentials but is straightforward once authenticated. Public exploit code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: R7000: 1.0.11.126+, R6900P/R7000P: 1.3.2.126+

Vendor Advisory: https://kb.netgear.com/000064074/Security-Advisory-for-Post-Authentication-Command-Injection-on-Some-Routers-PSV-2019-0225

Restart Required: Yes

Instructions:

1. Log into router web interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates or manually download from NETGEAR support site. 4. Upload and install firmware. 5. Router will reboot automatically.

🔧 Temporary Workarounds

Change Default Credentials

all

Change default admin passwords to strong, unique credentials to reduce attack surface.

Disable Remote Management

all

Turn off remote administration to prevent external authentication attempts.

🧯 If You Can't Patch

  • Implement network segmentation to isolate router management interface
  • Enable logging and monitor for unusual authenticated access patterns

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under Advanced > Administration > Firmware Update

Check Version:

Not applicable - check via web interface

Verify Fix Applied:

Confirm firmware version matches or exceeds patched versions: R7000 >= 1.0.11.126, R6900P/R7000P >= 1.3.2.126

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution in router logs
  • Multiple failed login attempts followed by successful login
  • Unexpected configuration changes

Network Indicators:

  • Unusual outbound connections from router
  • DNS queries to suspicious domains
  • Traffic redirection patterns

SIEM Query:

source="router_logs" AND (command_injection OR shell_exec OR system_call)

📊 Metadata

CVE ID: CVE-2021-45553
CVSS v3 Score: 8.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
CWE: CWE-77
Published: December 26, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45553, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)