CVE-2021-45603

MEDIUM

NETGEAR Multiple Routers - Unauthenticated Sensitive Information Exposure via UPnP Request

Title source: llm

Description

Certain NETGEAR devices are affected by disclosure of sensitive information. A UPnP request reveals a device's serial number, which can be used for a password reset. This affects D7800 before 1.0.1.66, EX2700 before 1.0.1.68, WN3000RPv2 before 1.0.0.90, WN3000RPv3 before 1.0.2.100, LBR1020 before 2.6.5.20, LBR20 before 2.6.5.32, R6700AX before 1.0.10.110, R7800 before 1.0.2.86, R8900 before 1.0.5.38, R9000 before 1.0.5.38, RAX10 before 1.0.10.110, RAX120v1 before 1.2.3.28, RAX120v2 before 1.2.3.28, RAX70 before 1.0.10.110, RAX78 before 1.0.10.110, XR450 before 2.3.2.130, XR500 before 2.3.2.130, and XR700 before 1.0.1.46.

References (2)

Core 2

Core References

Third Party Advisory x_refsource_misc

https://immersivelabs.com/resources/blog/netgear-vulnerabilities-could-put-small-business-routers-at-risk/

Patch, Vendor Advisory x_refsource_misc

https://kb.netgear.com/000064407/Security-Advisory-for-Post-Authentication-Command-Injection-Sensitive-Information-Disclosure-on-Multiple-Products-PSV-2021-0169-PSV-2021-0171

Scores

CVSS v3 6.1

EPSS 0.0004

EPSS Percentile 11.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Details

CWE

CWE-200

Status published

Products (18)

netgear/d7800_firmware < 1.0.1.66

netgear/ex2700_firmware < 1.0.1.68

netgear/lbr1020_firmware < 2.6.5.20

netgear/lbr20_firmware < 2.6.5.32

netgear/r6700ax_firmware < 1.0.10.110

netgear/r7800_firmware < 1.0.2.86

netgear/r8900_firmware < 1.0.5.38

netgear/r9000_firmware < 1.0.5.38

netgear/rax10_firmware < 1.0.10.110

netgear/rax120v1_firmware < 1.2.3.28

... and 8 more

Published Dec 26, 2021

Tracked Since Feb 18, 2026