Main Vulnerability Database Vulnerabilities #VU3147

OS command injection in NETGEAR products - #VU3147

Published: January 3, 2017

Vulnerability identifier: #VU3147

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: NETGEAR

Affected software:
WNR2000v3
WNR2000v4
WNR2000v5

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary OS commands on vulnerable device.

The vulnerability exists due to unknown error in web management interface. A remote attacker with access to web management interface can reset administrator's password and execute arbitrary OS commands on vulnerable device.

Successful exploitation of the vulnerability will result in full compromise of vulnerable device.

All firmware versions of vulnerable devices are vulnerable.

Remediation

The vendor is working on a fix to address this vulnerability. As a temporary solution it is possible to install beta version of firmware:

Sources

https://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability...

OS command injection in NETGEAR products - #VU3147

Detailed vulnerability description

Remediation

Sources

Please verify you're human