CVE-2021-45660
📋 TL;DR
This CVE describes a server-side injection vulnerability in certain NETGEAR Orbi WiFi systems. It allows attackers to inject malicious code that could compromise the device's web interface or underlying system. Affected users include those running specific NETGEAR Orbi models with firmware versions below the patched releases.
💻 Affected Systems
- NETGEAR RBK40
- NETGEAR RBR40
- NETGEAR RBS40
- NETGEAR RBK20
- NETGEAR RBR20
- NETGEAR RBS20
- NETGEAR RBK50
- NETGEAR RBR50
- NETGEAR RBS50
- NETGEAR RBS50Y
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete device compromise, network infiltration, and potential lateral movement to connected devices.
Likely Case
Unauthorized access to device configuration, network traffic interception, or denial of service affecting WiFi connectivity.
If Mitigated
Limited impact if device is behind firewall with restricted web interface access and strong network segmentation.
🎯 Exploit Status
Server-side injection typically requires crafting specific malicious inputs but doesn't require authentication based on CWE-74 classification.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: RBK40/RBR40/RBS40/RBK20/RBR20/RBS20/RBK50/RBR50/RBS50: 2.5.1.16 or later; RBS50Y: 2.6.1.40 or later
Vendor Advisory: https://kb.netgear.com/000064064/Security-Advisory-for-Server-Side-Injection-on-Some-WiFi-Systems-PSV-2019-0133
Restart Required: Yes
Instructions:
1. Log into Orbi web interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install latest firmware. 4. Reboot device after update completes.
🔧 Temporary Workarounds
Disable Remote Management
allPrevent external access to web administration interface
Network Segmentation
allPlace Orbi devices on isolated network segment with restricted access
🧯 If You Can't Patch
- Disable web administration interface entirely if not needed
- Implement strict firewall rules to block all inbound traffic to Orbi management ports
🔍 How to Verify
Check if Vulnerable:
Check firmware version in Orbi web interface under Advanced > Administration > Firmware UpdateCheck Version:
No CLI command; check via web interface or mobile appVerify Fix Applied:
Confirm firmware version is 2.5.1.16 or later (2.6.1.40 or later for RBS50Y)📡 Detection & Monitoring
Log Indicators:
- Unusual web interface access patterns
- Malformed HTTP requests to administration endpoints
- Unexpected configuration changes
Network Indicators:
- Suspicious traffic to Orbi management ports (typically 80/443)
- Unusual outbound connections from Orbi device
SIEM Query:
source="netgear-orbi" AND (url="*admin*" OR url="*cgi*" OR url="*config*") AND (status=200 OR status=500) AND user_agent!="Mozilla*"