CVE-2021-40847

CWE-319 — Cleartext Transmission3 documents3 sources

Severity

8.1HIGH

EPSS

6.1%

top 9.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Netgear R6400v2 Firmware Netgear R6700 Firmware Netgear R6700v3 Firmware +8 more

Timeline

PublishedSep 21

Latest updateMay 24

Description

The update process of the Circle Parental Control Service on various NETGEAR routers allows remote attackers to achieve remote code execution as root via a MitM attack. While the parental controls themselves are not enabled by default on the routers, the Circle update daemon, circled, is enabled by default. This daemon connects to Circle and NETGEAR to obtain version information and updates to the circled daemon and its filtering database. However, database updates from NETGEAR are unsigned and …

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages11 packages

▶NVDnetgear/r6900p_firmware1.3.2.134

▶NVDnetgear/r7000p_firmware1.3.2.134

▶NVDnetgear/r6700v3_firmware1.0.4.106

▶NVDnetgear/r6700_firmware1.0.2.16

▶NVDnetgear/r6900_firmware1.0.2.16

🔴Vulnerability Details

GHSA

GHSA-62q2-fg4c-c2qp: The update process of the Circle Parental Control Service on various NETGEAR routers allows remote attackers to achieve remote code execution as root↗2022-05-24

▶

CVEList

CVE-2021-40847: The update process of the Circle Parental Control Service on various NETGEAR routers allows remote attackers to achieve remote code execution as root↗2021-09-21

▶