8.8
CVE-2020-27861
- EPSS 0.12%
- Published 12.02.2021 00:15:12
- Last modified 21.11.2024 05:21:57
- Source zdi-disclosures@trendmicro.com
- Teams watchlist Login
- Open Login
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR Orbi 2.5.1.16 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UA_Parser utility. A crafted Host Name option in a DHCP request can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-11076.
Data is provided by the National Vulnerability Database (NVD)
Netgear ≫ Cbk40 Firmware Version < 2.6.1.38
Netgear ≫ Cbk43 Firmware Version < 2.6.1.38
Netgear ≫ Cbr40 Firmware Version < 2.6.1.38
Netgear ≫ Ex6200 Firmware Version < 1.0.1.82
Netgear ≫ Ex7700 Firmware Version < 1.0.0.210
Netgear ≫ Ex8000 Firmware Version < 1.0.1.224
Netgear ≫ Rbk12 Firmware Version < 2.6.1.44
Netgear ≫ Rbk13 Firmware Version < 2.6.1.44
Netgear ≫ Rbk14 Firmware Version < 2.6.1.44
Netgear ≫ Rbk15 Firmware Version < 2.6.1.44
Netgear ≫ Rbr10 Firmware Version < 2.6.1.44
Netgear ≫ Rbs10 Firmware Version < 2.6.1.44
Netgear ≫ Rbk20w Firmware Version < 2.6.1.36
Netgear ≫ Rbk23w Firmware Version < 2.6.1.36
Netgear ≫ Rbk20 Router Firmware Version < 2.6.1.36
Netgear ≫ Rbk20 Satellite Firmware Version < 2.6.1.38
Netgear ≫ Rbk22 Router Firmware Version < 2.6.1.36
Netgear ≫ Rbk22 Satellite Firmware Version < 2.6.1.38
Netgear ≫ Rbk23 Router Firmware Version < 2.6.1.36
Netgear ≫ Rbk23 Satellite Firmware Version < 2.6.1.38
Netgear ≫ Rbr20 Firmware Version < 2.6.1.36
Netgear ≫ Rbs20 Firmware Version < 2.6.1.38
Netgear ≫ Rbk30 Firmware Version < 2.6.1.36
Netgear ≫ Rbk33 Firmware Version < 2.6.1.36
Netgear ≫ Rbk40 Router Firmware Version < 2.6.1.36
Netgear ≫ Rbk40 Satellite Firmware Version < 2.6.1.38
Netgear ≫ Rbk43 Router Firmware Version < 2.6.1.36
Netgear ≫ Rbk43 Satellite Firmware Version < 2.6.1.38
Netgear ≫ Rbk43s Router Firmware Version < 2.6.1.36
Netgear ≫ Rbk43s Satellite Firmware Version < 2.6.1.38
Netgear ≫ Rbk44 Router Firmware Version < 2.6.1.36
Netgear ≫ Rbk44 Satellite Firmware Version < 2.6.1.38
Netgear ≫ Rbr40 Firmware Version < 2.6.1.36
Netgear ≫ Rbs40 Firmware Version < 2.6.1.38
Netgear ≫ Rbk50 Firmware Version < 2.6.1.40
Netgear ≫ Rbk50v Firmware Version < 2.6.1.40
Netgear ≫ Rbk52w Firmware Version < 2.6.1.40
Netgear ≫ Rbr50 Firmware Version < 2.6.1.40
Netgear ≫ Rbs50 Firmware Version < 2.6.1.40
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.12% | 0.322 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 8.3 | 6.5 | 10 |
AV:A/AC:L/Au:N/C:C/I:C/A:C
|
| zdi-disclosures@trendmicro.com | 8.8 | 2.8 | 5.9 |
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.