Security researchers at Cisco Talos have discovered four vulnerabilities in Netgear’s Orbi 750 series router and extender satellites. One of the flaws, CVE-2022-37337, is a critical remote command execution vulnerability in the access control feature of the Netgear Orbi router.
Attackers can exploit publicly accessible admin consoles by sending a specially-crafted HTTP request to the vulnerable router to execute arbitrary commands. The Talos team has published a proof-of-concept exploit for this flaw.
Another vulnerability, CVE-2022-38452, is a high-severity remote command execution vulnerability in the router’s telnet service.
Although the vendor has released a firmware update, it did not address this flaw. Cisco has also published a proof-of-concept exploit for this vulnerability.
CVE-2022-36429 is a high-severity command injection vulnerability in the backend communication function of the Netgear Orbi satellite. Finally, CVE-2022-38458 is a cleartext transmission problem in the remote management feature of the Netgear Orbi router, enabling man-in-the-middle attacks that can lead to sensitive information disclosure.
At the time of the disclosure, Cisco was not aware of any cases of active exploitation of these vulnerabilities.
However, given the availability of a proof-of-concept for CVE-2022-37337, threat actors could attempt to find misconfigured, publicly accessible routers to exploit.
Although these exploits require local access, valid login credentials, or the admin console to be publicly accessible, a quick search using Shodan found almost 10,000 Orbi devices publicly accessible from the Internet.
Netgear has released a firmware update, version 4.6.14.3, on January 19, 2023, to address the discovered vulnerabilities.
While Orbi does support automatic installation of updates, some devices may not have installed the latest firmware automatically.
Therefore, owners of Netgear Orbi 750 devices should manually check to see if they are running the latest version and upgrade their firmware as soon as possible.
