CVE-2021-34983: NETGEAR Multiple Routers httpd Missing Authentication for Critical Function Information Disclosure Vulnerability. This vulnerability allows network-ad...

Description

NETGEAR Multiple Routers httpd Missing Authentication for Critical Function Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of multiple NETGEAR routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of authentication prior to allowing access to system configuration information. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-13708.

Metrics

EPSS Probability

0.33%

24.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-306

Affected Software

Vendor	Product	Versions
Netgear	Xr1000 Firmware	< 1.0.0.64
Netgear	Xr300 Firmware	< 1.0.3.68
Netgear	D6220 Firmware	< 1.0.0.76
Netgear	D6400 Firmware	< 1.0.0.108
Netgear	D7000v2 Firmware	< 1.0.0.76
Netgear	Dgn2200v4 Firmware	< 1.0.0.126
Netgear	V6510-1fxaus Firmware	< 1.0.0.80
Netgear	Dc112a Firmware	< 1.0.0.62
Netgear	Ex3700 Firmware	< 1.0.0.94
Netgear	Ex3800 Firmware	< 1.0.0.94
Netgear	Ex6120 Firmware	< 1.0.0.66
Netgear	Ex6130 Firmware	< 1.0.0.46
Netgear	Ex7000 Firmware	< 1.0.1.106
Netgear	Ex7500 Firmware	< 1.0.1.76
Netgear	Mr60 Firmware	< 1.1.6.122
Netgear	Mr80 Firmware	< 1.1.6.10
Netgear	Ms60 Firmware	< 1.1.6.122
Netgear	Ms80 Firmware	< 1.1.6.10
Netgear	Lax20 Firmware	< 1.1.6.30
Netgear	R6400 Firmware	< 1.0.1.76
Netgear	R6400v2 Firmware	< 1.0.4.120
Netgear	R6700v3 Firmware	< 1.0.4.120
Netgear	R6900p Firmware	< 1.3.3.148
Netgear	R7000 Firmware	< 1.0.11.128
Netgear	R7000p Firmware	< 1.3.3.148
Netgear	R7100lg Firmware	< 1.0.0.72
Netgear	R7850 Firmware	< 1.0.5.76
Netgear	R7900p Firmware	< 1.4.2.84
Netgear	R7960p Firmware	< 1.4.2.84
Netgear	R8000 Firmware	< 1.0.4.76
Netgear	R8000p Firmware	< 1.4.2.84
Netgear	R8300 Firmware	< 1.0.2.156
Netgear	R8500 Firmware	< 1.0.2.156
Netgear	Rax15 Firmware	< 1.0.4.100
Netgear	Rax20 Firmware	< 1.0.4.100
Netgear	Rax200 Firmware	< 1.0.5.132
Netgear	Rax35v2 Firmware	< 1.0.4.100
Netgear	Rax38v2 Firmware	< 1.0.4.100
Netgear	Rax40v2 Firmware	< 1.0.4.100
Netgear	Rax42 Firmware	< 1.0.4.100
Netgear	Rax43 Firmware	< 1.0.4.100
Netgear	Rax45 Firmware	< 1.0.4.100
Netgear	Rax48 Firmware	< 1.0.4.100
Netgear	Rax50 Firmware	< 1.0.4.100
Netgear	Rax50s Firmware	< 1.0.4.100
Netgear	Rax75 Firmware	< 1.0.5.132
Netgear	Rax80 Firmware	< 1.0.5.132
Netgear	Raxe450 Firmware	< 1.0.8.70
Netgear	Raxe500 Firmware	< 1.0.8.70
Netgear	Rs400 Firmware	< 1.5.1.80

Showing 50 of 52 affected configurations. See NVD for the full list.

References

Timeline

Published: May 7, 2024
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2021-34983?

NETGEAR Multiple Routers httpd Missing Authentication for Critical Function Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of multiple NETGEAR routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of authentication prior to allowing access to system configuration information. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-13708.

How severe is CVE-2021-34983?

Severity scoring for CVE-2021-34983 is pending analysis. The EPSS model estimates a 0.33% probability of exploitation in the next 30 days.

How do I fix CVE-2021-34983?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.