PT-2022-18715 · NetGear · Netgear R8500
Published
2022-03-26
·
Updated
2022-03-31
·
CVE-2022-27947
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
NETGEAR R8500 version 1.0.2.158
Description
The issue allows remote authenticated users to execute arbitrary commands, such as starting the
telnetd service, by injecting shell metacharacters into specific parameters in the ipv6 fix.cgi script. The vulnerable parameters include ipv6 wan ipaddr, ipv6 lan ipaddr, ipv6 wan length, and ipv6 lan length.Recommendations
For NETGEAR R8500 version 1.0.2.158, avoid using the parameters
ipv6 wan ipaddr, ipv6 lan ipaddr, ipv6 wan length, and ipv6 lan length in the ipv6 fix.cgi script until the issue is resolved. As a temporary workaround, consider restricting access to the ipv6 fix.cgi script to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Netgear R8500