CVE-2022-27644

Name of the Vulnerable Software and Affected Versions NETGEAR R6700v3 version 1.0.4.120 10.0.91 NETGEAR R6400v2 (affected versions not specified) NETGEAR R6900P (affected versions not specified) NETGEAR R7000 (affected versions not specified) NETGEAR R7000P (affected versions not specified) NETGEAR RS400 (affected versions not specified) NETGEAR CBR40 (affected versions not specified)

Description This issue allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of NETGEAR routers. Authentication is not required to exploit this issue. The specific flaw exists within the downloading of files via HTTPS, resulting from the lack of proper validation of the certificate presented by the server. An attacker can leverage this in conjunction with other issues to execute arbitrary code in the context of root.

Recommendations For NETGEAR R6700v3 version 1.0.4.120 10.0.91, consider disabling the HTTPS file download feature until a patch is available. For NETGEAR R6400v2, NETGEAR R6900P, NETGEAR R7000, NETGEAR R7000P, NETGEAR RS400, and NETGEAR CBR40, at the moment, there is no information about a newer version that contains a fix for this issue.