CVE-2021-45634
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary commands on affected NETGEAR WiFi systems. It affects multiple NETGEAR Orbi and Nighthawk mesh WiFi systems running outdated firmware. Attackers can exploit this without any credentials.
💻 Affected Systems
- NETGEAR CBR750
- NETGEAR RBK752
- NETGEAR RBR750
- NETGEAR RBS750
- NETGEAR RBK852
- NETGEAR RBR850
- NETGEAR RBS850
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise leading to persistent backdoor installation, network traffic interception, lateral movement to connected devices, and botnet recruitment.
Likely Case
Remote code execution allowing attackers to modify device settings, steal credentials, or use the device as a pivot point into the internal network.
If Mitigated
Limited impact with proper network segmentation and firewall rules preventing external access to management interfaces.
🎯 Exploit Status
Public exploit code exists and exploitation requires minimal technical skill due to the unauthenticated nature.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: CBR750: 4.6.3.6 or later; RBK752/RBR750/RBS750/RBK852/RBR850/RBS850: 3.2.17.12 or later
Vendor Advisory: https://kb.netgear.com/000064139/Security-Advisory-for-Pre-Authentication-Command-Injection-on-Some-WiFi-Systems-PSV-2020-0515
Restart Required: Yes
Instructions:
1. Log into NETGEAR router web interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and apply if available. 4. Alternatively, download firmware from NETGEAR support site and manually upload. 5. Reboot device after update.
🔧 Temporary Workarounds
Disable Remote Management
allPrevent external access to router management interface
Network Segmentation
allIsolate router management interface to trusted network segment only
🧯 If You Can't Patch
- Replace affected devices with patched models or different vendors
- Implement strict firewall rules blocking all external access to router management ports (typically 80/443)
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router web interface under Advanced > Administration > Firmware UpdateCheck Version:
No CLI command; check via web interface or mobile appVerify Fix Applied:
Confirm firmware version is CBR750: 4.6.3.6+ or others: 3.2.17.12+📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in system logs
- Multiple failed authentication attempts followed by successful access
- Unexpected process creation
Network Indicators:
- Unusual outbound connections from router
- Traffic to known malicious IPs from router
- Port scanning originating from router
SIEM Query:
source="router_logs" AND (command_injection OR shell_exec OR system_call)