PT-2021-11434 · NetGear · Netgear R7450
1Sd3D
·
Published
2021-01-18
·
Updated
2021-02-08
·
CVE-2020-27872
CVSS v3.1
8.8
High
| Vector | AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
NETGEAR R7450 version 1.2.0.62 1.0.1
Description:
This issue allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7450 routers. The specific flaw exists within the mini httpd service, which listens on TCP port 80 by default. The issue results from improper state tracking in the password recovery process. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root.
Recommendations:
For NETGEAR R7450 version 1.2.0.62 1.0.1, as a temporary workaround, consider disabling the mini httpd service until a patch is available. Restrict access to the password recovery process to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exposure of Resource to Wrong Sphere
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Netgear R7450