CVE-2021-45624

CRITICAL

NETGEAR Multiple Router Models Firmware - Unauthenticated Command Injection

Title source: llm

Description

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects D7000v2 before 1.0.0.66, D8500 before 1.0.3.58, R7000 before 1.0.11.110, R7100LG before 1.0.0.72, R7900 before 1.0.4.30, R8000 before 1.0.4.62, XR300 before 1.0.3.56, R7000P before 1.3.2.132, R8500 before 1.0.2.144, R6900P before 1.3.2.132, and R8300 before 1.0.2.144.

References (1)

Core 1

Core References

Patch, Vendor Advisory x_refsource_misc

https://kb.netgear.com/000064485/Security-Advisory-for-Pre-Authentication-Command-Injection-on-Some-Routers-PSV-2020-0298

Scores

CVSS v3 9.6

EPSS 0.0119

EPSS Percentile 79.1%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-77

Status published

Products (11)

netgear/d7000v2_firmware < 1.0.0.66

netgear/d8500_firmware < 1.0.3.58

netgear/r6900p_firmware < 1.3.2.132

netgear/r7000_firmware < 1.0.11.110

netgear/r7000p_firmware < 1.3.2.132

netgear/r7100lg_firmware < 1.0.0.72

netgear/r7900_firmware < 1.0.4.30

netgear/r8000_firmware < 1.0.4.62

netgear/r8300_firmware < 1.0.2.144

netgear/r8500_firmware < 1.0.2.144

... and 1 more

Published Dec 26, 2021

Tracked Since Feb 18, 2026