CVE-2021-45624

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects D7000v2 before 1.0.0.66, D8500 before 1.0.3.58, R7000 before 1.0.11.110, R7100LG before 1.0.0.72, R7900 before 1.0.4.30, R8000 before 1.0.4.62, XR300 before 1.0.3.56, R7000P before 1.3.2.132, R8500 before 1.0.2.144, R6900P before 1.3.2.132, and R8300 before 1.0.2.144.

Published: Dec 26, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-45624
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-77

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
netgear / d7000v2_firmware	-	1.0.0.66
netgear / d8500_firmware	-	1.0.3.58
netgear / r7000_firmware	-	1.0.11.110
netgear / r7100lg_firmware	-	1.0.0.72
netgear / r7900_firmware	-	1.0.4.30
netgear / r8000_firmware	-	1.0.4.62
netgear / xr300_firmware	-	1.0.3.56
netgear / r7000p_firmware	-	1.3.2.132
netgear / r8500_firmware	-	1.0.2.144
netgear / r6900p_firmware	-	1.3.2.132
netgear / r8300_firmware	-	1.0.2.144

https://kb.netgear.com/000064485/Security-Advisory-for-Pre-Authentication-Command-Injection-on-Some-Routers-PSV-2020-0298

Vulnerability Database

289,697

CVE-2021-45624