CVE-2021-27255 — HIGH (8.8)

Q: How severe is CVE-2021-27255?

CVE-2021-27255 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-27255?

Check the references section above for vendor advisories and patch information. Affected products include: Netgear Br200 Firmware, Netgear Br200, Netgear Br500 Firmware, Netgear Br500, Netgear D7800 Firmware.

Vulnerability Description

This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Authentication is not required to exploit this vulnerability. The specific flaw exists within the refresh_status.aspx endpoint. The issue results from a lack of authentication required to start a service on the server. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-12360.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Netgear	Br200 Firmware	< 5.10.0.5
Netgear	Br200	-
Netgear	Br500 Firmware	< 5.10.0.5
Netgear	Br500	-
Netgear	D7800 Firmware	< 1.0.1.60
Netgear	D7800	-
Netgear	Ex6100V2 Firmware	< 1.0.1.98
Netgear	Ex6100V2	-
Netgear	Ex6150V2 Firmware	< 1.0.1.98
Netgear	Ex6150V2	-
Netgear	Ex6250 Firmware	< 1.0.0.134
Netgear	Ex6250	-
Netgear	Ex6400 Firmware	< 1.0.2.158
Netgear	Ex6400	-
Netgear	Ex6400V2 Firmware	< 1.0.0.134
Netgear	Ex6400V2	-
Netgear	Ex6410 Firmware	< 1.0.0.134
Netgear	Ex6410	-
Netgear	Ex6420 Firmware	< 1.0.0.134
Netgear	Ex6420	-

Related Weaknesses (CWE)

CWE-306

References

https://kb.netgear.com/000062883/Security-Advisory-for-Multiple-Vulnerabilities-PatchVendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-263/Third Party AdvisoryVDB Entry
https://kb.netgear.com/000062883/Security-Advisory-for-Multiple-Vulnerabilities-PatchVendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-263/Third Party AdvisoryVDB Entry

FAQ

What is CVE-2021-27255?

CVE-2021-27255 is a vulnerability with a CVSS score of 8.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Authentication is not required to exploit this vulnerability....

How severe is CVE-2021-27255?

CVE-2021-27255 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-27255?

Check the references section above for vendor advisories and patch information. Affected products include: Netgear Br200 Firmware, Netgear Br200, Netgear Br500 Firmware, Netgear Br500, Netgear D7800 Firmware.