Login Sign Up

CVE-2023-49007

9.8 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

A stack-based buffer overflow vulnerability exists in the httpd service of Netgear Orbi RBR750 routers running firmware versions before V7.2.6.21. This vulnerability allows remote attackers to execute arbitrary code with root privileges, potentially taking full control of affected devices. All users of Netgear Orbi RBR750 routers with vulnerable firmware are affected.

💻 Affected Systems

Products:
  • Netgear Orbi RBR750
Versions: All firmware versions before V7.2.6.21
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: The httpd service runs by default on port 80 and is accessible from the local network.

📦 What is this software?

Rbr750 Firmware by Netgear

View all CVEs affecting Rbr750 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, credential theft, network traffic interception, and use as pivot point for attacking internal networks.

🟠

Likely Case

Remote code execution resulting in device takeover, malware deployment, and participation in botnets.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted inbound access and network segmentation.

🌐 Internet-Facing: HIGH - HTTPd service is typically exposed to local network and potentially internet if port forwarding is configured.
🏢 Internal Only: HIGH - Even internal attackers can exploit this vulnerability to gain root access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept code is available on GitHub, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V7.2.6.21

Vendor Advisory: https://www.netgear.com/about/security/

Restart Required: Yes

Instructions:

1. Log into Orbi web interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install V7.2.6.21. 4. Reboot the router after update completes.

🔧 Temporary Workarounds

Network Access Control

all

Restrict access to Orbi web interface using firewall rules

Disable Remote Management

all

Turn off remote management features to limit attack surface

🧯 If You Can't Patch

  • Isolate Orbi router on separate VLAN with strict firewall rules
  • Implement network monitoring for suspicious traffic to/from Orbi device

🔍 How to Verify

Check if Vulnerable:

Check firmware version in Orbi web interface under Advanced > Administration > Firmware Update

Check Version:

Not applicable - check via web interface only

Verify Fix Applied:

Confirm firmware version shows V7.2.6.21 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests to /usr/sbin/httpd
  • Process crashes of httpd service
  • Unexpected root privilege escalation

Network Indicators:

  • Unusual outbound connections from Orbi device
  • Suspicious HTTP traffic to router management interface

SIEM Query:

source="orbi-router" AND (event="httpd_crash" OR http_request CONTAINS "overflow" OR process="httpd" AND privilege="root")

📊 Metadata

CVE ID: CVE-2023-49007
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: December 8, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49007, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)