CVE-2021-45632
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary commands on affected NETGEAR WiFi systems. It affects multiple NETGEAR router models running outdated firmware versions. Attackers can exploit this without any credentials.
💻 Affected Systems
- NETGEAR CBR750
- NETGEAR RBK752
- NETGEAR RBR750
- NETGEAR RBS750
- NETGEAR RBK852
- NETGEAR RBR850
- NETGEAR RBS850
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise leading to persistent backdoor installation, network traffic interception, lateral movement to connected devices, and potential data exfiltration.
Likely Case
Remote code execution allowing attackers to modify device settings, install malware, or use the device as part of a botnet.
If Mitigated
No impact if devices are patched or properly segmented from untrusted networks.
🎯 Exploit Status
Pre-authentication command injection with public technical details available. Simple exploitation makes weaponization likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: CBR750: 4.6.3.6 or later; Others: 3.2.17.12 or later
Vendor Advisory: https://kb.netgear.com/000064137/Security-Advisory-for-Pre-Authentication-Command-Injection-on-Some-WiFi-Systems-PSV-2020-0505
Restart Required: Yes
Instructions:
1. Log into NETGEAR router admin interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install latest firmware. 4. Reboot device after update completes.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected devices from untrusted networks and limit access to management interfaces.
Firewall Rules
allBlock external access to router management interfaces (typically ports 80, 443, 8080).
🧯 If You Can't Patch
- Replace affected devices with patched or alternative models
- Implement strict network segmentation and access controls
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router admin interface under Advanced > Administration > Firmware UpdateCheck Version:
Check via web interface or SSH if enabled: cat /etc/versionVerify Fix Applied:
Confirm firmware version is CBR750: 4.6.3.6+ or others: 3.2.17.12+📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in system logs
- Multiple failed authentication attempts followed by successful access
- Unexpected process creation
Network Indicators:
- Unusual outbound connections from router
- Traffic to known malicious IPs from router
- Port scanning originating from router
SIEM Query:
source="router_logs" AND ("command injection" OR "unauthorized access" OR "shell execution")