CVE-2021-45591 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2021-45591?

CVE-2021-45591 has a CVSS score of 8.4 (HIGH). This vulnerability allows authenticated attackers to execute arbitrary commands on affected NETGEAR WiFi systems. It affects RBK752, RBR750, RBS750, RBK852, RBR850, and RBS850 devices running firmware versions before 3.2.16.6. Attackers must already have valid credentials to exploit this command injection flaw.

📋 TL;DR

This vulnerability allows authenticated attackers to execute arbitrary commands on affected NETGEAR WiFi systems. It affects RBK752, RBR750, RBS750, RBK852, RBR850, and RBS850 devices running firmware versions before 3.2.16.6. Attackers must already have valid credentials to exploit this command injection flaw.

💻 Affected Systems

Products:

NETGEAR RBK752
NETGEAR RBR750
NETGEAR RBS750
NETGEAR RBK852
NETGEAR RBR850
NETGEAR RBS850

Versions: All versions before 3.2.16.6

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both router and satellite units in these WiFi 6 mesh systems. Requires authenticated access to exploit.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent backdoors, intercept network traffic, pivot to internal networks, or use the device as part of a botnet.

🟠

Likely Case

Unauthorized configuration changes, network disruption, credential theft from connected devices, or installation of cryptocurrency miners.

🟢

If Mitigated

Limited to authenticated users only, reducing exposure to authorized personnel who might misuse their access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires valid credentials but is straightforward once authenticated. No public exploit code has been released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.16.6 or later

Vendor Advisory: https://kb.netgear.com/000064113/Security-Advisory-for-Post-Authentication-Command-Injection-on-Some-WiFi-Systems-PSV-2020-0099

Restart Required: Yes

Instructions:

1. Log into router web interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install firmware version 3.2.16.6 or later. 4. Reboot the device after installation completes.

🔧 Temporary Workarounds

Restrict administrative access

all

Limit administrative interface access to trusted IP addresses only

Use strong unique credentials

all

Implement complex passwords and avoid credential reuse to reduce risk of authenticated exploitation

🧯 If You Can't Patch

Isolate affected devices on separate network segments with strict firewall rules
Implement network monitoring for unusual command execution patterns

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under Advanced > Administration > Firmware Update

Check Version:

Not applicable - check via web interface only

Verify Fix Applied:

Confirm firmware version shows 3.2.16.6 or higher after update

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Multiple failed authentication attempts followed by successful login and command execution

Network Indicators:

Unexpected outbound connections from router
Unusual traffic patterns from router management interface

SIEM Query:

source="router_logs" AND (command="*;*" OR command="*|*" OR command="*`*" OR command="*$(*")

📊 Metadata

CVE ID: CVE-2021-45591

CVSS v3 Score: 8.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-77

Published: December 26, 2021

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45591, you might also want to check these: