CVE-2021-45579 – This vulnerability allows authenticated users t... (How to Fix)

Q: What is the severity of CVE-2021-45579?

CVE-2021-45579 has a CVSS score of 8.4 (HIGH). This vulnerability allows authenticated users to execute arbitrary commands on affected NETGEAR WiFi systems through command injection. It affects specific NETGEAR Orbi mesh WiFi systems (RBK/RBR/RBS 750 and 850 series) running firmware versions before 3.2.16.6.

📋 TL;DR

This vulnerability allows authenticated users to execute arbitrary commands on affected NETGEAR WiFi systems through command injection. It affects specific NETGEAR Orbi mesh WiFi systems (RBK/RBR/RBS 750 and 850 series) running firmware versions before 3.2.16.6.

💻 Affected Systems

Products:

NETGEAR RBK752
NETGEAR RBR750
NETGEAR RBS750
NETGEAR RBK852
NETGEAR RBR850
NETGEAR RBS850

Versions: All versions before 3.2.16.6

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the web interface or API. Affects both router and satellite units in the mesh systems.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker could gain full control of the device, pivot to internal networks, install persistent backdoors, or use the device as a launch point for further attacks.

🟠

Likely Case

Malicious insiders or attackers who have obtained valid credentials could execute commands to disrupt network services, steal data, or compromise other devices on the network.

🟢

If Mitigated

With proper access controls and network segmentation, impact would be limited to the affected device only, preventing lateral movement.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires valid credentials but is straightforward once authenticated. No public exploit code has been released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.16.6 or later

Vendor Advisory: https://kb.netgear.com/000064101/Security-Advisory-for-Post-Authentication-Command-Injection-on-Some-WiFi-Systems-PSV-2020-0087

Restart Required: Yes

Instructions:

1. Log into the NETGEAR Orbi web interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install firmware version 3.2.16.6 or later. 4. The device will reboot automatically after update.

🔧 Temporary Workarounds

Restrict administrative access

all

Limit administrative access to trusted IP addresses only and use strong, unique passwords.

Network segmentation

all

Place affected devices in isolated network segments to limit potential lateral movement.

🧯 If You Can't Patch

Implement strict access controls and monitor for suspicious authentication attempts
Consider replacing affected devices with patched models if updates cannot be applied

🔍 How to Verify

Check if Vulnerable:

Check firmware version in web interface: Advanced > Administration > Firmware Update. If version is below 3.2.16.6, device is vulnerable.

Check Version:

No CLI command available. Must check via web interface.

Verify Fix Applied:

Verify firmware version shows 3.2.16.6 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns in system logs
Multiple failed login attempts followed by successful authentication
Unexpected system processes or services

Network Indicators:

Unusual outbound connections from the router
Traffic patterns inconsistent with normal router operation

SIEM Query:

source="netgear-router" AND (event_type="authentication" AND result="success") FOLLOWED BY event_type="command_execution" WITHIN 5m

📊 Metadata

CVE ID: CVE-2021-45579

CVSS v3 Score: 8.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-77

Published: December 26, 2021

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45579, you might also want to check these: