CVE-2022-27646: This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700v3 1.0.4.120_10.0.91 routers. Although…

high8.8CVSS 3.1

AVAACLPRNUINSUCHIHAH

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700v3 1.0.4.120_10.0.91 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the circled daemon. A crafted circleinfo.txt file can trigger an overflow of a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15879.

Affected

25 ranges

Vendor	Product	Version range	Fixed in
netgear	cbr40_firmware	< 2.5.0.28	2.5.0.28
netgear	lbr1020_firmware	< 2.7.4.2	2.7.4.2
netgear	lbr20_firmware	< 2.7.4.2	2.7.4.2
netgear	r6400_firmware	< 1.0.4.126	1.0.4.126
netgear	r6700_firmware	< 1.0.4.126	1.0.4.126
netgear	r6700v3	—	—
netgear	r6900p_firmware	< 1.3.3.148	1.3.3.148
netgear	r7000_firmware	< 1.0.11.134	1.0.11.134
netgear	r7000p_firmware	< 1.3.3.148	1.3.3.148
netgear	r7850_firmware	< 1.0.5.84	1.0.5.84
netgear	r7960p_firmware	< 1.4.3.88	1.4.3.88
netgear	r8000_firmware	< 1.0.4.84	1.0.4.84
netgear	r8000p_firmware	< 1.4.3.88	1.4.3.88
netgear	rax200_firmware	< 1.0.6.138	1.0.6.138
netgear	rax75_firmware	< 1.0.6.138	1.0.6.138
netgear	rax80_firmware	< 1.0.6.138	1.0.6.138
netgear	rbr10_firmware	< 2.7.4.24	2.7.4.24
netgear	rbr20_firmware	< 2.7.4.24	2.7.4.24
netgear	rbr40_firmware	< 2.7.4.24	2.7.4.24
netgear	rbr50_firmware	< 2.7.4.24	2.7.4.24
netgear	rbs10_firmware	< 2.7.4.24	2.7.4.24
netgear	rbs20_firmware	< 2.7.4.24	2.7.4.24
netgear	rbs40_firmware	< 2.7.4.24	2.7.4.24
netgear	rbs50_firmware	< 2.7.4.24	2.7.4.24
netgear	rs400_firmware	< 1.5.1.86	1.5.1.86