A high-severity remote code execution vulnerability was discovered affecting multiple Netgear small office and home office (SOHO) routers. The vulnerability is a buffer overflow flaw in the Universal Plug and Play (UPnP) feature that is used to detect changes within devices on the network and could allow network-adjacent attackers to take control of a system. This attack does not require authentication to perform, meaning any user with network access to the impacted device could perform the attack.
The buffer overflow exists in how the UPnP feature accepts UNSUBSCRIBE requests from clients. This allows an attacker to send a specially crafted HTTP request of type UNSUBSCRIBE to an affected device, along with a malicious payload to execute. This malicious payload could include anything from resetting the administrative password to gaining direct access to the device. Once an attack has compromised the device, attackers would be able to monitor any traffic going in and out of it, as well as use it to launch attacks against other systems connected to the device.
A proof-of-concept has been created to exploit this vulnerability and obtain access to an affected device, meaning this attack may start being used in the wild. Netgear has released patches to fix this vulnerability in most of the affected devices and is continuing to release patches for the rest. This vulnerability is being tracked as CVE-2021-34991.