Arbitrary Code Execution Vulnerability in NETGEAR Routers
CVE-2022-27647

8HIGH

Key Information:

Vendor
Netgear
Status
R6700v3
Vendor
CVE Published:
29 March 2023

Summary

This vulnerability affects NETGEAR R6700v3 routers and enables network-adjacent attackers to execute arbitrary code. While authentication is generally required, an inherent flaw allows this mechanism to be bypassed. The vulnerability originates from improper validation of user input concerning name or email fields utilized by the libreadycloud.so component. When exploited, this could allow attackers to execute commands at the root level, potentially compromising the entire router.

Affected Version(s)

R6700v3 1.0.4.120_10.0.91

References

https://kb.netgear.com/000064723/Security-Advisory-for-Mu...
https://www.zerodayinitiative.com/advisories/ZDI-22-524/

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Bugscale team
.