NETGEAR FunJSQ CVE-2022-40620/40621: Insecure Update & Command Injection

Key Information Vulnerability Overview Component: FunJSQ Impact: NETGEAR routers and Orbi Wi-Fi systems CVE IDs: - CVE-2022-40620: Insecure update mechanism - CVE-2022-40621: Unvalidated command injection Vulnerability Details Insecure Update Mechanism: - Unverified software updates can lead to man-in-the-middle (MITM) attacks injecting malicious software. - HTTPS requests in the script always use the option, disabling certificate verification. Unvalidated Command Injection: - has a command injection vulnerability when processing incoming requests. - Attackers can inject arbitrary commands by controlling parameters such as , , . Affected Versions NETGEAR Routers: - R6230: <1.1.0.112 - R6260: <1.1.0.88 - R7000: <1.0.11.134 - R8900: <1.0.5.42 - R9000: <1.0.5.42 - XR300: <1.0.3.72 Orbi Wi-Fi Systems: - RBR20, RBS20: <2.7.2.26 - RBR50, RBS50: <2.7.4.26 Fixed Versions NETGEAR Routers: - R6230: 1.1.0.112 - R6260: 1.1.0.88 - R7000: 1.0.11.134 - R8900: 1.0.5.42 - R9000: 1.0.5.42 - XR300: 1.0.3.72 Orbi Wi-Fi Systems: - RBR20, RBS20: 2.7.2.26 - RBR50, RBS50: 2.7.4.26 CVSS Score Risk Assessment: 7.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L) Timeline 2022-05-19: Coordinated disclosure request sent to NETGEAR 2022-06-10: NETGEAR confirmed and provided contact info and PGP key 2022-06-11: Vulnerability details discussed 2022-06-15: Agreement reached on fixes and disclosure 2022-09-08: NETGEAR released its advisory 2022-09-12: ONEKEY released its advisory

Goal Reached Thanks to every supporter — we hit 100%!

NETGEAR FunJSQ CVE-2022-40620/40621: Insecure Update & Command Injection