CVE-2022-37337 – This CVE describes a command injection vulnerab... (How to Fix)

Q: What is the severity of CVE-2022-37337?

CVE-2022-37337 has a CVSS score of 9.1 (CRITICAL). This CVE describes a command injection vulnerability in Netgear Orbi RBR750 routers running firmware version 4.6.8.5. An authenticated attacker can send specially crafted HTTP requests to execute arbitrary commands on the router with root privileges. This affects users of Netgear Orbi RBR750 systems with the vulnerable firmware.

📋 TL;DR

This CVE describes a command injection vulnerability in Netgear Orbi RBR750 routers running firmware version 4.6.8.5. An authenticated attacker can send specially crafted HTTP requests to execute arbitrary commands on the router with root privileges. This affects users of Netgear Orbi RBR750 systems with the vulnerable firmware.

💻 Affected Systems

Products:

Netgear Orbi RBR750

Versions: Firmware version 4.6.8.5

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker authentication to the router's web interface or API. Affects both satellite and main router units in Orbi systems.

📦 What is this software?

Rbs750 Firmware by Netgear

View all CVEs affecting Rbs750 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing persistent backdoor installation, network traffic interception, lateral movement to connected devices, and router bricking.

🟠

Likely Case

Router takeover leading to DNS hijacking, credential theft from network traffic, and installation of malware on connected devices.

🟢

If Mitigated

Limited impact if proper network segmentation and authentication controls prevent attacker access to the router's admin interface.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires valid credentials but is straightforward once authenticated. Public technical details available in Talos report.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version 4.6.8.6 and later

Vendor Advisory: https://kb.netgear.com/000065417/Security-Advisory-for-Command-Injection-on-Some-Orbi-WiFi-Systems-PSV-2022-0187

Restart Required: Yes

Instructions:

1. Log into Orbi web interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install firmware 4.6.8.6 or later. 4. Reboot router after update completes.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to router admin interface

Change default credentials

all

Use strong unique passwords for router admin account

🧯 If You Can't Patch

Isolate router on separate VLAN with strict firewall rules
Implement network monitoring for suspicious HTTP requests to router admin interface

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under Advanced > Administration > Firmware Update

Check Version:

curl -s http://router_ip/debug_info.htm | grep Firmware

Verify Fix Applied:

Confirm firmware version is 4.6.8.6 or higher in router admin interface

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to router admin endpoints
Multiple failed login attempts followed by successful authentication

Network Indicators:

HTTP requests with shell metacharacters in parameters
Unusual outbound connections from router

SIEM Query:

source="router_logs" AND (url="*cgi-bin*" OR url="*debug*" OR url="*RST*statistics*htm") AND (method="POST" OR method="GET") AND (param="*;*" OR param="*|*" OR param="*`*" OR param="*$(*")

📊 Metadata

CVE ID: CVE-2022-37337

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-78

Published: March 21, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-37337, you might also want to check these: