Shaunak Mirani

**Name of the Vulnerable Software and Affected Versions** NETGEAR Orbi version 2.5.1.16 **Description** This issue allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR Orbi routers. Authentication is not required to exploit this issue. The specific flaw exists within the `UA Parser` utility. A crafted `Host Name` option in a DHCP request can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this issue to execute code in the context of `root`. **Recommendations** For NETGEAR Orbi version 2.5.1.16, consider disabling the `UA Parser` utility until a patch is available to prevent exploitation. Restrict access to the router's DHCP request handling to minimize the risk of exploitation. Avoid using the `Host Name` option in DHCP requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.