cbcvebase.
CVE-2021-20173
published 2021-12-30

CVE-2021-20173: Netgear Nighthawk R6700 version 1.0.4.120 contains a command injection vulnerability in update functionality of the device. By triggering a system update check…

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
3.20%
86.5th percentile
Netgear Nighthawk R6700 version 1.0.4.120 contains a command injection vulnerability in update functionality of the device. By triggering a system update check via the SOAP interface, the device is susceptible to command injection via preconfigured values.

Affected

1 ranges
VendorProductVersion rangeFixed in
netgearr6700_firmware

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /soap/server_sa/ HTTP/1.0
otherSOAPAction: urn:NETGEAR-ROUTER:service:DeviceConfig:1#CheckNewFirmware
cookiesess_id=018b49310551ca2de378a56e5f03294bc4c58e2b2dd8671d211abfbddaeb932dd8b60666d6c406356e71620c004fa226094ab2888d422f7133bf377490278819; SameSite=Strict
uaSOAP Toolkit 3.0
commandrm -f %s %s %s;wget -b --tries=2 --timeout=5 -o %s --ca-certificate /opt/xagent/certs/%s -O %s
path/opt/xagent/certs/
processupnpd
  • Monitor for HTTP POST requests to /soap/server_sa/ with SOAPAction header containing 'CheckNewFirmware' — this is the trigger endpoint for the command injection vulnerability.
  • Alert on the upnpd process spawning shell commands (system() calls) containing 'wget' or 'rm -f', as these indicate exploitation of the command injection via preconfigured device values.
  • The vulnerability requires prior authentication; look for authenticated SOAP sessions (sess_id cookie) followed immediately by CheckNewFirmware SOAP action as a behavioral chain indicator.
  • Flag traffic with User-Agent 'SOAP Toolkit 3.0' targeting Netgear router SOAP endpoints, as this is the user-agent used in the documented exploit request.
  • ·The command injection is triggered via preconfigured values already stored on the device — the attacker does not inject directly in the SOAP request body but rather causes the device to use its own stored (potentially attacker-influenced) configuration values in unsanitized system() calls.
  • ·Three separate instances of unsanitized system() calls exist in the upnpd binary; detection/patching must account for all three code paths, not just the one documented example.
  • ·Exploitation requires prior authentication to the device before the SOAP CheckNewFirmware request can be issued; unauthenticated access alone is insufficient.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.