CVE-2022-27642

Q: What is the severity of CVE-2022-27642?

CVE-2022-27642 has a CVSS score of 8.8 (HIGH). This vulnerability allows network-adjacent attackers to bypass authentication on NETGEAR R6700v3 routers by exploiting incorrect string matching logic in the httpd service. Attackers can combine this with other vulnerabilities to execute arbitrary code with root privileges. Only users of affected NETGEAR router models with vulnerable firmware versions are impacted.

8.8 HIGH

Remote Code Execution Authentication Bypass

📋 TL;DR

This vulnerability allows network-adjacent attackers to bypass authentication on NETGEAR R6700v3 routers by exploiting incorrect string matching logic in the httpd service. Attackers can combine this with other vulnerabilities to execute arbitrary code with root privileges. Only users of affected NETGEAR router models with vulnerable firmware versions are impacted.

💻 Affected Systems

Products:

NETGEAR R6700v3

Versions: 1.0.4.120_10.0.91 and earlier vulnerable versions

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects routers with default configurations. Network-adjacent access required (same local network segment).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution as root, allowing complete compromise of the router, network traffic interception, credential theft, and lateral movement to connected devices.

🟠

Likely Case

Authentication bypass leading to unauthorized access to router administration interface, configuration changes, and potential privilege escalation through chained exploits.

🟢

If Mitigated

Limited impact with proper network segmentation, firewall rules blocking adjacent network access, and intrusion detection monitoring.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Authentication bypass is straightforward, but achieving RCE requires chaining with other vulnerabilities. ZDI advisory suggests exploit chain is feasible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version 1.0.4.122 or later

Vendor Advisory: https://kb.netgear.com/000064723/Security-Advisory-for-Multiple-Vulnerabilities-on-Multiple-Products-PSV-2021-0327

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates or manually download latest firmware from NETGEAR support site. 4. Upload and install firmware update. 5. Router will reboot automatically.

🔧 Temporary Workarounds

Disable remote administration

all

Prevents external access to router admin interface

Network segmentation

all

Isolate router management interface to separate VLAN

🧯 If You Can't Patch

Replace affected router with updated model or different vendor
Implement strict firewall rules to limit access to router management interface from trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under Advanced > Administration > Firmware Update

Check Version:

Not applicable - check via web interface

Verify Fix Applied:

Confirm firmware version is 1.0.4.122 or later in router admin interface

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful access to protected pages
Unusual access patterns to router admin interface from unexpected IPs

Network Indicators:

HTTP requests to router management interface with unusual URI patterns attempting to bypass authentication

SIEM Query:

source="router_logs" AND (event_type="auth_failure" OR event_type="admin_access") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2022-27642

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: March 29, 2023

Last Updated: November 21, 2024

🔗 References

https://kb.netgear.com/000064723/Security-Advisory-for-Multiple-Vulnerabilities-on-Multiple-Products-PSV-2021-0327 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-518/ Third Party Advisory,VDB Entry
https://kb.netgear.com/000064723/Security-Advisory-for-Multiple-Vulnerabilities-on-Multiple-Products-PSV-2021-0327 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-518/ Third Party Advisory,VDB Entry

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Cax80 Firmware by Netgear

Lax20 Firmware by Netgear

Mr60 Firmware by Netgear

Mr80 Firmware by Netgear

Ms60 Firmware by Netgear

Ms80 Firmware by Netgear

R6400 Firmware by Netgear

R6400 Firmware by Netgear

R6700 Firmware by Netgear

R6900p Firmware by Netgear

R7000 Firmware by Netgear

R7000p Firmware by Netgear

R7100lg Firmware by Netgear

R7850 Firmware by Netgear

R7900p Firmware by Netgear

R7960p Firmware by Netgear

R8000 Firmware by Netgear

R8000p Firmware by Netgear

R8500 Firmware by Netgear

Rax15 Firmware by Netgear

Rax20 Firmware by Netgear

Rax200 Firmware by Netgear

Rax35 Firmware by Netgear

Rax38 Firmware by Netgear

Rax40 Firmware by Netgear

Rax42 Firmware by Netgear

Rax43 Firmware by Netgear

Rax45 Firmware by Netgear

Rax48 Firmware by Netgear

Rax50 Firmware by Netgear

Rax50s Firmware by Netgear

Rax75 Firmware by Netgear

Rax80 Firmware by Netgear

Rs400 Firmware by Netgear