CVE-2018-11106

CRITICAL

NETGEAR WC7500/WC7520/WC7600/WC9500 Firmware - Unauthenticated OS Command Injection via request_handler.php

Title source: llm

Description

NETGEAR has released fixes for a pre-authentication command injection in request_handler.php security vulnerability on the following product models: WC7500, running firmware versions prior to 6.5.3.5; WC7520, running firmware versions prior to 2.5.0.46; WC7600v1, running firmware versions prior to 6.5.3.5; WC7600v2, running firmware versions prior to 6.5.3.5; and WC9500, running firmware versions prior to 6.5.3.5.

References (1)

Core 1

Core References

Various Sources x_refsource_confirm

https://kb.netgear.com/000058243/Security-Advisory-for-Pre-Authentication-Command-Injection-in-request-handler-php-on-Some-Wireless-Controllers-PSV-2018-0051

Scores

CVSS v3 9.8

EPSS 0.0263

EPSS Percentile 85.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-77

Status published

Products (5)

netgear/wc7500_firmware < 6.5.3.5

netgear/wc7520_firmware < 2.5.0.46

netgear/wc7600v1_firmware < 6.5.3.5

netgear/wc7600v2_firmware < 6.5.3.5

netgear/wc9500_firmware < 6.5.3.5

Published Apr 01, 2020

Tracked Since Feb 18, 2026