CVE-2021-38528

CRITICAL

NETGEAR D8500/R6900P/R7000P/R7100LG/WNDR3400/XR300 - Unauthenticated Command Injection

Title source: llm

Description

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects D8500 before 1.0.3.58, R6900P before 1.3.2.132, R7000P before 1.3.2.132, R7100LG before 1.0.0.64, WNDR3400v3 before 1.0.1.38, and XR300 before 1.0.3.56.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_misc

https://kb.netgear.com/000063781/Security-Advisory-for-Pre-Authentication-Command-Injection-on-Some-Gateways-and-Routers-PSV-2020-0297

Scores

CVSS v3 9.6

EPSS 0.0369

EPSS Percentile 88.1%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-77

Status published

Products (6)

netgear/d8500_firmware < 1.0.3.58

netgear/r6900p_firmware < 1.3.2.132

netgear/r7000p_firmware < 1.3.2.132

netgear/r7100lg_firmware < 1.0.0.64

netgear/wndr3400_firmware < 1.0.1.38

netgear/xr300_firmware < 1.0.3.56

Published Aug 11, 2021

Tracked Since Feb 18, 2026