CVE-2021-45626

CRITICAL

NETGEAR RBK20/RBR20/RBS20/RBK40/RBR40/RBS40/RBK50/RBR50/RBS50/RBS50Y Firmware - Unauthenticated OS Command Injection

Title source: llm

Description

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects RBK20 before 2.6.1.36, RBR20 before 2.6.1.36, RBS20 before 2.6.1.38, RBK40 before 2.6.1.36, RBR40 before 2.6.1.36, RBS40 before 2.6.1.38, RBK50 before 2.6.1.40, RBR50 before 2.6.1.40, RBS50 before 2.6.1.40, and RBS50Y before 2.6.1.40.

References (1)

Core 1

Core References

Patch, Vendor Advisory x_refsource_misc

https://kb.netgear.com/000064068/Security-Advisory-for-Pre-Authentication-Command-Injection-on-Some-WiFi-Systems-PSV-2019-0152

Scores

CVSS v3 9.6

EPSS 0.0021

EPSS Percentile 43.2%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-77

Status published

Products (10)

netgear/rbk20_firmware < 2.6.1.38

netgear/rbk40_firmware < 2.6.1.38

netgear/rbk50_firmware < 2.6.1.40

netgear/rbr20_firmware < 2.6.1.36

netgear/rbr40_firmware < 2.6.1.36

netgear/rbr50_firmware < 2.6.1.40

netgear/rbs20_firmware < 2.6.1.38

netgear/rbs40_firmware < 2.6.1.38

netgear/rbs50_firmware < 2.6.1.40

netgear/rbs50y_firmware < 2.6.1.40

Published Dec 26, 2021

Tracked Since Feb 18, 2026