CVE-2021-27254
Severity CVSS v4.0:
Pending analysis
Type:
CWE-798
Use of Hard-coded Credentials
Publication date:
05/03/2021
Last modified:
25/04/2022
Description
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7800. Authentication is not required to exploit this vulnerability. The specific flaw exists within the apply_save.cgi endpoint. This issue results from the use of hard-coded encryption key. An attacker can leverage this vulnerability to execute arbitrary code in the context of root. Was ZDI-CAN-12287.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Base Score 2.0
8.30
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:netgear:br200_firmware:*:*:*:*:*:*:*:* | 5.10.0.5 (excluding) | |
| cpe:2.3:h:netgear:br200:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:netgear:br500_firmware:*:*:*:*:*:*:*:* | 5.10.0.5 (excluding) | |
| cpe:2.3:h:netgear:br500:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:netgear:d7800_firmware:*:*:*:*:*:*:*:* | 1.0.1.60 (excluding) | |
| cpe:2.3:h:netgear:d7800:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:netgear:ex6100v2_firmware:*:*:*:*:*:*:*:* | 1.0.1.98 (excluding) | |
| cpe:2.3:h:netgear:ex6100v2:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:netgear:ex6150v2_firmware:*:*:*:*:*:*:*:* | 1.0.1.98 (excluding) | |
| cpe:2.3:h:netgear:ex6150v2:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:netgear:ex6250_firmware:*:*:*:*:*:*:*:* | 1.0.0.134 (excluding) | |
| cpe:2.3:h:netgear:ex6250:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:netgear:ex6400_firmware:*:*:*:*:*:*:*:* | 1.0.2.158 (excluding) | |
| cpe:2.3:h:netgear:ex6400:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:netgear:ex6400v2_firmware:*:*:*:*:*:*:*:* | 1.0.0.134 (excluding) |
To consult the complete list of CPE names with products and versions, see this page