CVE-2021-34977

CWE-288 CWE-287 — Improper Authentication3 documents3 sources

Severity

8.8HIGH

EPSS

0.5%

top 34.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Netgear R7000 Netgear R7000 Firmware

Timeline

PublishedJan 13

Latest updateJan 14

Description

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7000 1.0.11.116_10.2.100 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of SOAP requests. The issue results from the lack of proper authentication verification before performing a password reset. An attacker can leverage this vulnerability to reset the admin password. Was ZDI-CAN-13483.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5netgear/r70001.0.11.116_10.2.100

▶NVDnetgear/r7000_firmware1.0.11.116_10.2.100

🔴Vulnerability Details

GHSA

GHSA-6r85-9phq-3c46: This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7000 1↗2022-01-14

▶

CVEList

CVE-2021-34977: This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7000 1↗2022-01-13

▶