CVE-2020-27866

Name of the Vulnerable Software and Affected Versions NETGEAR R6020 versions (affected versions not specified) NETGEAR R6080 versions (affected versions not specified) NETGEAR R6120 versions (affected versions not specified) NETGEAR R6220 versions (affected versions not specified) NETGEAR R6260 versions (affected versions not specified) NETGEAR R6700v2 versions (affected versions not specified) NETGEAR R6800 versions (affected versions not specified) NETGEAR R6900v2 versions (affected versions not specified) NETGEAR R7450 versions (affected versions not specified) NETGEAR JNR3210 versions (affected versions not specified) NETGEAR WNR2020 versions (affected versions not specified) NETGEAR Nighthawk AC2100 versions (affected versions not specified) NETGEAR Nighthawk AC2400 versions (affected versions not specified)

Description This issue allows network-adjacent attackers to bypass authentication on affected NETGEAR router installations. The flaw exists within the mini httpd service, which listens on TCP port 80 by default, due to incorrect string matching logic when accessing protected pages. An attacker can leverage this in conjunction with other issues to execute code in the context of root.

Recommendations For NETGEAR R6020, consider disabling the mini httpd service until a patch is available. For NETGEAR R6080, restrict access to protected pages to minimize the risk of exploitation. For NETGEAR R6120, avoid using the default TCP port 80 for the mini httpd service. For NETGEAR R6220, consider implementing additional authentication measures. For NETGEAR R6260, restrict access to the mini httpd service. For NETGEAR R6700v2, consider disabling access to protected pages. For NETGEAR R6800, implement strict access controls for the mini httpd service. For NETGEAR R6900v2, consider restricting access to the router's administration interface. For NETGEAR R7450, avoid using default settings for the mini httpd service. For NETGEAR JNR3210, consider implementing a web application firewall. For NETGEAR WNR2020, restrict access to the mini httpd service. For NETGEAR Nighthawk AC2100, consider disabling the mini httpd service. For NETGEAR Nighthawk AC2400, implement additional security measures to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.