CVE-2021-27254

6.3MEDIUM

Key Information:

Vendor: Netgear
Status: R7800
Vendor: CVE Published:; 5 March 2021

Summary

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7800. Authentication is not required to exploit this vulnerability. The specific flaw exists within the apply_save.cgi endpoint. This issue results from the use of hard-coded encryption key. An attacker can leverage this vulnerability to execute arbitrary code in the context of root. Was ZDI-CAN-12287.

Affected Version(s)

R7800 firmware version 1.0.2.76

References

https://www.zerodayinitiative.com/advisories/ZDI-21-252/

x_refsource_MISC

https://kb.netgear.com/000062883/Security-Advisory-for-Mu...

x_refsource_MISC

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 5, 2021
Vulnerability Reserved
Feb 16, 2021

Credit

84c0