A vulnerability has been found in Netgear R7800 and XR500 (Wireless LAN Software) (affected version unknown) and classified as critical. Affected by this vulnerability is an unknown functionality. The manipulation with an unknown input leads to a command injection vulnerability. The CWE definition for the vulnerability is CWE-77. The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R7800 before 1.0.2.60 and XR500 before 2.3.2.32.

The weakness was released 04/16/2020 (Website). It is possible to read the advisory at kb.netgear.com. This vulnerability is known as CVE-2019-20707 since 04/15/2020. The attack can only be done within the local network. The successful exploitation needs a single authentication. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1202 according to MITRE ATT&CK.

Upgrading eliminates this vulnerability.

Entry connected to this vulnerability is available at VDB-153930. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Wireless LAN Software

Vendor

• Netgear

Name

• R7800
• XR500

License

• commercial

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion