There have been disclosed proof-of-concept exploits for bugs in the Orbi 750 series router and extender satellites from Netgear, one of which is a critical severity remote command execution bug.
For areas between 5,000 and 12,500 square feet, the Netgear Orbi network mesh system offers robust coverage and excellent throughput on up to 40 concurrently connected devices. On August 30, 2022, the Cisco Talos team found the bugs in Netgear’s system and notified the manufacturer. Cisco advises users to update to the most recent firmware version, 188.8.131.52, which was published on January 19, 2023.
The first and most serious weakness (CVSS v3.1: 9.1) is identified as CVE-2022-37337 and affects the Netgear Orbi router’s access control mechanism. It allows remote command execution. By submitting a specially crafted HTTP request to the susceptible router, an attacker may use openly available admin panels to take control of the device and run whatever commands they want.
CVE-2022-38452, a high-severity remote command execution weakness in the router’s telnet service, is the second issue that Cisco’s experts have identified. A MAC address and legitimate login credentials are needed to exploit the issue. The only one of the four weaknesses that Netgear’s January firmware upgrade neglected to correct is this one, therefore it is still present. Cisco has however also released a PoC vulnerability for it.
The Netgear Orbi Satellite, which connects to the router to increase network coverage, has a third vulnerability, CVE-2022-36429, which is a high-severity command injection. By giving the device a series of specially prepared JSON items, an attacker can take advantage of this vulnerability. However, for the attack to be effective, an admin token must be retrieved.
Finally, Cisco’s analysts found CVE-2022-38458, a cleartext transmission issue affecting the Netgear Orbi router’s Remote Management feature that allows man-in-the-middle attacks that may reveal sensitive information. Cisco was not aware of any instances of the above weaknesses being actively exploited at the time of the announcement. However, given the existence of a PoC for CVE-2022-37337, threat actors could look for improperly configured routers that are available to the public.
The good news is that these attacks need local access, legitimate login information, or a publicly available admin interface, making it far more difficult to make use of the flaws. However, a fast Shodan search turned up around 10,000 Orbi devices that were openly accessible via the Internet, the bulk of which were situated in the United States. If any of them employ the standard admin credentials, they could be open to attack.
While Orbi does allow for the automated installation of updates, the new firmware for an Orbi that was running in August 2022 software did not do so. Due to this, users of Netgear Orbi 750 devices should manually check to verify if they are running the most recent version and if not, immediately upgrade their firmware.