Proof of concept (POC) exploits for numerous vulnerabilities in Netgear’s Orbi 750 series router and extender have been released; several of these exploit critical remote command execution (RCE) vulnerabilities. Netgear Orbi is a popular network mesh system for home users. The vulnerabilities in the device were discovered by Cisco Talos on August 30th, 2022, and Netgear released a patch for most of these vulnerabilities on January 19th, 2023 in version 126.96.36.199.
The critical RCE vulnerability is tracked as CVE-2022-37337 and affects the access control functionality of the router. Attackers can exploit publicly accessible admin consoles by sending a malicious HTTP request to the vulnerable router to execute arbitrary commands on the device. Another high-severity remote command execution vulnerability is tracked as CVE-2022-38452 and affects the router’s telnet service, requiring both valid credentials and a MAC address to exploit. A third vulnerability is tracked as CVE-2022-36429 and is a high severity command injection vulnerability affecting the backend communications functionality in the Netgear Orbi Satellite, an extender. An attacker can exploit this flaw by sending a sequence of specially crafted JSON objects to the device, but this requires an admin token to work. The final vulnerability is tracked as CVE-2022-38458 and is a cleartext transmission bug impacting the Remote Management functionality of the Netgear Orbi router, which enables Man-in-the-Middle attacks.
Of the above-mentioned exploits, the only one that was not patched in version 188.8.131.52 was CVE-2022-38452. Many of these vulnerabilities were not seen exploited publicly and require valid credentials, local access, or a public admin console, making them harder to exploit. Additionally, the Talos team indicated there were no signs that these vulnerabilities were publicly exploited prior to disclosure. However, a Shodan search returns over 10,000 devices that are still vulnerable to these exploits: with the POC having been released, it is more likely exploits of these vulnerabilities will be seen in the wild.
While exploitation was not seen prior to disclosure, it is likely that these vulnerabilities will start to be exploited by attackers who modify the Proof-of-Concept exploit for their own use. This article demonstrates the need to stay up to date on patching, as the patch was released nearly 3 months before these exploits were made public. Additionally, these vulnerabilities demonstrate the need for a defense-in-depth strategy, as many of these cannot be exploited without requiring other this such as valid credentials or local access – this allows for detection opportunities at different parts of the attack chain.