CVE-2021-34983

moderate-risk

Published 2024-05-07

NETGEAR Multiple Routers httpd Missing Authentication for Critical Function Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of multiple NETGEAR routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of authentication prior to allowing access to system configuration information. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-13708.

Do I need to act?

0.18% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

ADJACENT_NETWORK / LOW complexity

Affected Products (20)

Xr1000 Firmware

Xr300 Firmware

D6220 Firmware

D6400 Firmware

D7000V2 Firmware

Dgn2200V4 Firmware

V6510-1Fxaus Firmware

Dc112A Firmware

Ex3700 Firmware

Ex3800 Firmware

Ex6120 Firmware

Ex6130 Firmware

Ex7000 Firmware

Ex7500 Firmware

Mr60 Firmware

Mr80 Firmware

Ms60 Firmware

Ms80 Firmware

Lax20 Firmware

R6400 Firmware

Affected Vendors

Netgear

References (4)

Vendor Advisory https://kb.netgear.com/000064313/Security-Advisory-for-Pre-Authentication-Buffer...

Third Party Advisory https://www.zerodayinitiative.com/advisories/ZDI-21-1275/

Vendor Advisory https://kb.netgear.com/000064313/Security-Advisory-for-Pre-Authentication-Buffer...

Third Party Advisory https://www.zerodayinitiative.com/advisories/ZDI-21-1275/

/ 100

moderate-risk

Severity 21/34 · High

Exploitability 1/34 · Minimal

Exposure 26/34 · High