Security News > 2023 > March > PoC exploits released for Netgear Orbi router vulnerabilities
Proof-of-concept exploits for vulnerabilities in Netgear's Orbi 750 series router and extender satellites have been released, with one flaw a critical severity remote command execution bug.
The first and most critical flaw is tracked as CVE-2022-37337 and is a remotely exploitable command execution vulnerability in the access control functionality of the Netgear Orbi router.
The third vulnerability is CVE-2022-36429, a high-severity command injection in the backend communications functionality of the Netgear Orbi Satellite, which links to the router to extend the network coverage.
Finally, Cisco's analysts discovered CVE-2022-38458, a cleartext transmission problem impacting the Remote Management functionality of the Netgear Orbi router, enabling man-in-the-middle attacks that can lead to sensitive information disclosure.
While Orbi does support the automatic installation of updates, on an Orbi seen by BleepingComputer, new firmware did not automatically install, and it was running software released in August 2022.
Owners of Netgear Orbi 750 devices should manually check to see if they are running the latest version, and if not, upgrade their firmware as soon as possible.
News URL
Related news
- Netgear warns users to patch critical WiFi router vulnerabilities (source)
- PoC exploit for Ivanti Endpoint Manager vulnerabilities released (CVE-2024-13159) (source)
- Swap EOL Zyxel routers, upgrade Netgear ones! (source)
- SonicWall firewall bug leveraged in attacks after PoC exploit release (source)
- Week in review: Botnet hits M365 accounts, PoC for Ivanti Endpoint Manager vulnerabilities released (source)
- Ongoing Cyber Attacks Exploit Critical Vulnerabilities in Cisco Smart Licensing Utility (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-21 | CVE-2022-38458 | Unspecified vulnerability in Netgear Rbs750 Firmware 4.6.8.5 A cleartext transmission vulnerability exists in the Remote Management functionality of Netgear Orbi Router RBR750 4.6.8.5. | 5.9 |
| 2023-03-21 | CVE-2022-37337 | Unspecified vulnerability in Netgear Rbs750 Firmware 4.6.8.5 A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5. | 8.8 |
| 2023-03-21 | CVE-2022-36429 | Unspecified vulnerability in Netgear Rbs750 Firmware 4.6.8.5 A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. | 7.2 |