CVE-2021-45628 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2021-45628?

CVE-2021-45628 has a CVSS score of 9.6 (CRITICAL). This vulnerability allows unauthenticated attackers to execute arbitrary commands on affected NETGEAR WiFi systems through command injection. It affects multiple NETGEAR router and mesh WiFi system models running vulnerable firmware versions. Attackers can exploit this without any authentication.

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary commands on affected NETGEAR WiFi systems through command injection. It affects multiple NETGEAR router and mesh WiFi system models running vulnerable firmware versions. Attackers can exploit this without any authentication.

💻 Affected Systems

Products:

NETGEAR CBR40
CBR750
RBK752
RBR750
RBS750
RBK852
RBR850
RBS850
RBS40V
RBW30

Versions: CBR40 before 2.5.0.24, CBR750 before 3.2.18.2, RBK752 before 3.2.17.12, RBR750 before 3.2.17.12, RBS750 before 3.2.17.12, RBK852 before 3.2.17.12, RBR850 before 3.2.17.12, RBS850 before 3.2.17.12, RBS40V before 2.6.2.4, RBW30 before 2.6.2.2

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent malware, intercept all network traffic, pivot to internal networks, and use the device as a botnet node.

🟠

Likely Case

Device takeover leading to network surveillance, credential theft, DNS hijacking, and lateral movement to connected devices.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH - Directly exposed devices can be exploited by any internet-based attacker without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this, but requires network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward with public proof-of-concept code available. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: CBR40: 2.5.0.24+, CBR750: 3.2.18.2+, RBK752/RBR750/RBS750/RBK852/RBR850/RBS850: 3.2.17.12+, RBS40V: 2.6.2.4+, RBW30: 2.6.2.2+

Vendor Advisory: https://kb.netgear.com/000064125/Security-Advisory-for-Pre-Authentication-Command-Injection-on-Some-WiFi-Systems-PSV-2020-0472

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and apply latest firmware. 4. Reboot device after update completes.

🔧 Temporary Workarounds

Network Isolation

all

Place affected devices behind firewalls with strict inbound filtering to block external exploitation attempts.

Disable Remote Management

all

Disable WAN-side administration access to prevent external attackers from reaching vulnerable interfaces.

🧯 If You Can't Patch

Replace affected devices with patched models or alternative vendors
Implement strict network segmentation to isolate vulnerable devices from critical assets

🔍 How to Verify

Check if Vulnerable:

Check current firmware version via router admin interface at Advanced > Administration > Firmware Update

Check Version:

Login to router web interface and navigate to Advanced > Administration > Firmware Update to view current version

Verify Fix Applied:

Verify firmware version matches or exceeds patched versions listed in vendor advisory

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Multiple failed authentication attempts followed by successful access
Unexpected process creation

Network Indicators:

Unusual outbound connections from router
DNS queries to suspicious domains
Unexpected SSH/Telnet connections from router

SIEM Query:

source="router_logs" AND (command="*;*" OR command="*|*" OR command="*`*" OR command="*$(*")

📊 Metadata

CVE ID: CVE-2021-45628

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-77

Published: December 26, 2021

Last Updated: November 21, 2024

🔗 References

https://kb.netgear.com/000064125/Security-Advisory-for-Pre-Authentication-Command-Injection-on-Some-WiFi-Systems-PSV-2020-0472 Patch,Vendor Advisory
https://kb.netgear.com/000064125/Security-Advisory-for-Pre-Authentication-Command-Injection-on-Some-WiFi-Systems-PSV-2020-0472 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45628, you might also want to check these: