CVE-2021-45571
📋 TL;DR
This vulnerability allows an authenticated user to execute arbitrary commands on affected NETGEAR WiFi systems via command injection. It impacts specific NETGEAR Orbi mesh WiFi router models (RBK752, RBR750, RBS750, RBK852, RBR850, RBS850) running firmware versions before 3.2.16.6, potentially leading to full system compromise.
💻 Affected Systems
- NETGEAR RBK752
- NETGEAR RBR750
- NETGEAR RBS750
- NETGEAR RBK852
- NETGEAR RBR850
- NETGEAR RBS850
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with valid credentials gains full remote code execution, enabling them to take complete control of the device, steal sensitive data, pivot to internal networks, or deploy persistent malware.
Likely Case
An authenticated malicious insider or compromised account exploits the vulnerability to execute commands, potentially disrupting network services, modifying configurations, or conducting reconnaissance.
If Mitigated
With strong authentication controls, network segmentation, and up-to-date patches, the impact is limited to unauthorized command execution by authenticated users, which can be detected and contained.
🎯 Exploit Status
Exploitation requires authenticated access; no public proof-of-concept has been disclosed, but the vulnerability is well-documented in advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware version 3.2.16.6 or later
Vendor Advisory: https://kb.netgear.com/000064093/Security-Advisory-for-Post-Authentication-Command-Injection-on-Some-WiFi-Systems-PSV-2020-0079
Restart Required: Yes
Instructions:
1. Log into the NETGEOrbi web interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install firmware version 3.2.16.6 or higher. 4. Reboot the device after installation.
🔧 Temporary Workarounds
Restrict Management Access
allLimit access to the device's management interface to trusted IP addresses only, reducing exposure to potential attackers.
Configure firewall rules to allow management access only from specific IPs (e.g., using iptables on Linux: sudo iptables -A INPUT -p tcp --dport 80,443 -s TRUSTED_IP -j ACCEPT; sudo iptables -A INPUT -p tcp --dport 80,443 -j DROP)
Enforce Strong Authentication
allUse complex, unique passwords and enable multi-factor authentication if supported to prevent credential-based attacks.
Change default passwords via web interface; use password managers to generate strong passwords.
🧯 If You Can't Patch
- Isolate affected devices in a segmented network to limit lateral movement and potential damage.
- Monitor logs for unusual authentication attempts or command execution patterns to detect exploitation early.
🔍 How to Verify
Check if Vulnerable:
Check the firmware version via the web interface (Advanced > Administration > Firmware Update) or SSH if enabled; compare to version 3.2.16.6.Check Version:
From the device's web interface or via SSH: show version or similar command; exact command may vary by model.Verify Fix Applied:
Confirm the firmware version is 3.2.16.6 or higher in the device settings; test authenticated command injection attempts to ensure they are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution logs in system logs, failed or successful authentication attempts from unexpected sources, or abnormal process creation events.
Network Indicators:
- Suspicious outbound connections from the device to unknown IPs, unexpected traffic spikes, or anomalies in management port (e.g., 80, 443) activity.
SIEM Query:
Example: source="netgear_device" AND (event_type="command_injection" OR auth_failure OR process="unusual")