Researchers at GRIMM discovered a vulnerability in Small Office/Home Office (SOHO) Netgear routers that could allow an attacker to execute arbitrary code as root. The vulnerability is tracked as CVE-2021-40847 and lies in a third-party component included in the firmware. The code is part of Circle, which is used for parental controls on the devices. According to researchers, the code runs as root, and because of this, any exploitation by a threat actor could let them execute code as root. The Circle daemon is enabled by default and connects to Circle and Netgear to obtain version information, updates, and its filtering database. The database updates from Netgear are unsigned and are downloaded via Hypertext Transfer Protocol (HTTP), allowing the attacker to carry out a Man-in-the-Middle (MitM) attack on the device. Any attacker that has the ability to conduct a MitM attack can do so by responding to Circle update requests with a specifically crafted compressed database file, the extraction of which gives the attacker the ability to overwrite executables. For an attacker to successfully exploit the vulnerability, they must be able to intercept and modify the router’s network traffic.