CVE-2021-27254

Name: CVE-2021-27254
Creator: NVD / NIST
Published: 2021-03-05T20:15:12.317+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.8/10EPSS 0.49%

Last modified Jun 17, 2026

CVE-2021-27254 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7800. Authentication is not required to exploit this vulnerability. EPSS estimates a 0.49% chance of exploitation in the next 30 days.

Description

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7800. Authentication is not required to exploit this vulnerability. The specific flaw exists within the apply_save.cgi endpoint. This issue results from the use of hard-coded encryption key. An attacker can leverage this vulnerability to execute arbitrary code in the context of root. Was ZDI-CAN-12287.

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.49%

38.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Netgear	Br200 Firmware	< 5.10.0.5
Netgear	Br500 Firmware	< 5.10.0.5
Netgear	D7800 Firmware	< 1.0.1.60
Netgear	Ex6100v2 Firmware	< 1.0.1.98
Netgear	Ex6150v2 Firmware	< 1.0.1.98
Netgear	Ex6250 Firmware	< 1.0.0.134
Netgear	Ex6400 Firmware	< 1.0.2.158
Netgear	Ex6400v2 Firmware	< 1.0.0.134
Netgear	Ex6410 Firmware	< 1.0.0.134
Netgear	Ex6420 Firmware	< 1.0.0.134
Netgear	Ex7300 Firmware	< 1.0.2.158
Netgear	Ex7300v2 Firmware	< 1.0.0.134
Netgear	Ex7320 Firmware	< 1.0.0.134
Netgear	Ex7700 Firmware	< 1.0.0.216
Netgear	Ex8000 Firmware	< 1.0.1.232
Netgear	Lbr20 Firmware	< 2.6.3.50
Netgear	R7800 Firmware	< 1.0.2.80
Netgear	R8900 Firmware	< 1.0.5.28
Netgear	R9000 Firmware	< 1.0.5.28
Netgear	Rbk12 Firmware	< 2.7.2.104
Netgear	Rbk13 Firmware	< 2.7.2.104
Netgear	Rbk14 Firmware	< 2.7.2.104
Netgear	Rbk15 Firmware	< 2.7.2.104
Netgear	Rbk20 Firmware	< 2.6.2.104
Netgear	Rbk23 Firmware	< 2.7.2.104
Netgear	Rbk40 Firmware	< 2.6.2.104
Netgear	Rbk43 Firmware	< 2.6.2.104
Netgear	Rbk43s Firmware	< 2.6.2.104
Netgear	Rbk44 Firmware	< 2.6.2.104
Netgear	Rbk50 Firmware	< 2.7.2.104
Netgear	Rbk53 Firmware	< 2.7.2.104
Netgear	Rbr10 Firmware	< 2.6.2.104
Netgear	Rbr20 Firmware	< 2.6.2.104
Netgear	Rbr40 Firmware	< 2.6.2.104
Netgear	Rbr50 Firmware	< 2.7.2.104
Netgear	Rbs10 Firmware	< 2.6.2.104
Netgear	Rbs20 Firmware	< 2.6.2.104
Netgear	Rbs40 Firmware	< 2.6.2.104
Netgear	Rbs50 Firmware	< 2.7.2.104
Netgear	Rbs50y Firmware	< 2.6.2.104
Netgear	Xr450 Firmware	< 2.3.2.114
Netgear	Xr500 Firmware	< 2.3.2.114
Netgear	Xr700 Firmware	< 1.0.1.38

References

https://kb.netgear.com/000062883/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Routers-Satellites-and-ExtendersPatch, Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-252/Third Party Advisory, VDB Entry
https://kb.netgear.com/000062883/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Routers-Satellites-and-ExtendersPatch, Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-252/Third Party Advisory, VDB Entry

Timeline

Published: Mar 5, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-27254?

How severe is CVE-2021-27254?

CVE-2021-27254 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 0.49% probability of exploitation in the next 30 days.

How do I fix CVE-2021-27254?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-27254?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST