CVE-2021-31802

HIGH

NETGEAR R7000 Firmware < 1.0.11.116 - Unauthenticated Remote Code Execution via Backup.cgi File Upload

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-31802. PoCs published by colorlight2019, SSD Disclosure, Grant Willcox (tekwizz123), including Metasploit module auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce.

AI-analyzed exploit summary This Metasploit module exploits a heap buffer overflow in Netgear R7000 routers via the backup.cgi endpoint, leading to unauthenticated remote code execution as root. It enables the telnet server for post-exploitation access.

Description

NETGEAR R7000 1.0.11.116 devices have a heap-based Buffer Overflow that is exploitable from the local network without authentication. The vulnerability exists within the handling of an HTTP request. An attacker can leverage this to execute code as root. The problem is that a user-provided length value is trusted during a backup.cgi file upload. The attacker must add a \n before the Content-Length header.

Exploits (1)

metasploit WORKING POC

by colorlight2019, SSD Disclosure, Grant Willcox (tekwizz123) · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits a heap buffer overflow in Netgear R7000 routers via the backup.cgi endpoint, leading to unauthenticated remote code execution as root. It enables the telnet server for post-exploitation access.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Netgear R7000 firmware version 1.0.11.116

No auth needed

Prerequisites: Network access to the target router · Vulnerable firmware version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

https://www.netgear.com/about/security/

Exploit, Third Party Advisory x_refsource_misc

https://ssd-disclosure.com/ssd-advisory-netgear-nighthawk-r7000-httpd-preauth-rce/

Scores

CVSS v3 8.8

EPSS 0.1372

EPSS Percentile 94.5%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-787

Status published

Products (1)

netgear/r7000_firmware < 1.0.11.116

Published Apr 26, 2021

Tracked Since Feb 18, 2026