CVE-2021-40847: The update process of the Circle Parental Control Service on various NETGEAR routers allows remote attackers to achieve remote code execution as root ...

Description

The update process of the Circle Parental Control Service on various NETGEAR routers allows remote attackers to achieve remote code execution as root via a MitM attack. While the parental controls themselves are not enabled by default on the routers, the Circle update daemon, circled, is enabled by default. This daemon connects to Circle and NETGEAR to obtain version information and updates to the circled daemon and its filtering database. However, database updates from NETGEAR are unsigned and downloaded via cleartext HTTP. As such, an attacker with the ability to perform a MitM attack on the device can respond to circled update requests with a crafted, compressed database file, the extraction of which gives the attacker the ability to overwrite executable files with attacker-controlled code. This affects R6400v2 1.0.4.106, R6700 1.0.2.16, R6700v3 1.0.4.106, R6900 1.0.2.16, R6900P 1.3.2.134, R7000 1.0.11.123, R7000P 1.3.2.134, R7850 1.0.5.68, R7900 1.0.4.38, R8000 1.0.4.68, and RS400 1.5.0.68.

Metrics

CVSS 3.1

8.1/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

10.85%

95.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-319

Affected Software

Vendor	Product	Versions
Netgear	R6400v2 Firmware	1.0.4.106
Netgear	R6700 Firmware	1.0.2.16
Netgear	R6700v3 Firmware	1.0.4.106
Netgear	R6900 Firmware	1.0.2.16
Netgear	R6900p Firmware	1.3.2.134
Netgear	R7000 Firmware	1.0.11.123
Netgear	R7000p Firmware	1.3.2.134
Netgear	R7850 Firmware	1.0.5.68
Netgear	R7900 Firmware	1.0.4.38
Netgear	R8000 Firmware	1.0.4.68
Netgear	Rs400 Firmware	1.5.0.68

References

https://blog.grimm-co.com/2021/09/mama-always-told-me-not-to-trust.htmlExploit, Third Party Advisory
https://kb.netgear.com/000064039/Security-Advisory-for-Remote-Code-Execution-on-Some-Routers-PSV-2021-0204Vendor Advisory
https://blog.grimm-co.com/2021/09/mama-always-told-me-not-to-trust.htmlExploit, Third Party Advisory
https://kb.netgear.com/000064039/Security-Advisory-for-Remote-Code-Execution-on-Some-Routers-PSV-2021-0204Vendor Advisory

Timeline

Published: Sep 21, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-40847?

The update process of the Circle Parental Control Service on various NETGEAR routers allows remote attackers to achieve remote code execution as root via a MitM attack. While the parental controls themselves are not enabled by default on the routers, the Circle update daemon, circled, is enabled by default. This daemon connects to Circle and NETGEAR to obtain version information and updates to the circled daemon and its filtering database. However, database updates from NETGEAR are unsigned and downloaded via cleartext HTTP. As such, an attacker with the ability to perform a MitM attack on the device can respond to circled update requests with a crafted, compressed database file, the extraction of which gives the attacker the ability to overwrite executable files with attacker-controlled code. This affects R6400v2 1.0.4.106, R6700 1.0.2.16, R6700v3 1.0.4.106, R6900 1.0.2.16, R6900P 1.3.2.134, R7000 1.0.11.123, R7000P 1.3.2.134, R7850 1.0.5.68, R7900 1.0.4.38, R8000 1.0.4.68, and RS400 1.5.0.68.

How severe is CVE-2021-40847?

CVE-2021-40847 has a CVSS score of 8.1/10 (HIGH severity). The EPSS model estimates a 10.85% probability of exploitation in the next 30 days.

How do I fix CVE-2021-40847?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.