CVE-2018-11106

NETGEAR has released fixes for a pre-authentication command injection in request_handler.php security vulnerability on the following product models: WC7500, running firmware versions prior to 6.5.3.5; WC7520, running firmware versions prior to 2.5.0.46; WC7600v1, running firmware versions prior to 6.5.3.5; WC7600v2, running firmware versions prior to 6.5.3.5; and WC9500, running firmware versions prior to 6.5.3.5.
Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
netgearCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 82%
VendorProductVersion
netgearwc7500_firmware
𝑥
< 6.5.3.5
netgearwc7520_firmware
𝑥
< 2.5.0.46
netgearwc7600v1_firmware
𝑥
< 6.5.3.5
netgearwc7600v2_firmware
𝑥
< 6.5.3.5
netgearwc9500_firmware
𝑥
< 6.5.3.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://kb.netgear.com/000058243/Security-Advisory-for-Pre-Authentication-Command-Injection-in-request-handler-php-on-Some-Wireless-Controllers-PSV-2018-0051
https://kb.netgear.com/000058243/Security-Advisory-for-Pre-Authentication-Command-Injection-in-request-handler-php-on-Some-Wireless-Controllers-PSV-2018-0051