CVE-2021-34978

Name of the Vulnerable Software and Affected Versions NETGEAR R6260 version 1.1.0.78 1.0.1 NETGEAR AC2100, AC2400, AC2600, D7000, R6020, R6080, R6120, R6220, R6230, R6350, R6330, R6700v2, R6800, R6850, R6900v2, R7200, R7350, R7400, R7450, WAC124 (affected versions not specified)

Description This issue allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR routers. Authentication is not required to exploit this issue. The specific flaw exists within the setupwizard.cgi page. A crafted SOAP request can trigger an overflow of a fixed-length stack-based buffer. An attacker can leverage this issue to execute code in the context of root.

Recommendations For NETGEAR R6260 version 1.1.0.78 1.0.1, consider disabling access to the setupwizard.cgi page until a patch is available. For NETGEAR AC2100, AC2400, AC2600, D7000, R6020, R6080, R6120, R6220, R6230, R6350, R6330, R6700v2, R6800, R6850, R6900v2, R7200, R7350, R7400, R7450, WAC124, restrict access to the setupwizard.cgi page to minimize the risk of exploitation. As a temporary workaround, consider blocking crafted SOAP requests to the setupwizard.cgi page until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.