CVE-2021-40847
8.1 HIGHThe update process of the Circle Parental Control Service on various NETGEAR routers allows remote attackers to achieve remote code execu...
Published: 2021-09-21 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 8.1 HIGH
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-319
Affected products
| Vendor | Product |
|---|---|
| netgear | r6400v2_firmware, r6700_firmware, r6700v3_firmware |
Description
The update process of the Circle Parental Control Service on various NETGEAR routers allows remote attackers to achieve remote code execution as root via a MitM attack. While the parental controls themselves are not enabled by default on the routers, the Circle update daemon, circled, is enabled by default. This daemon connects to Circle and NETGEAR to obtain version information and updates to the circled daemon and its filtering database. However, database updates from NETGEAR are unsigned and downloaded via cleartext HTTP. As such, an attacker with the ability to perform a MitM attack on the device can respond to circled update requests with a crafted, compressed database file, the extraction of which gives the attacker the ability to overwrite executable files with attacker-controlled code. This affects R6400v2 1.0.4.106, R6700 1.0.2.16, R6700v3 1.0.4.106, R6900 1.0.2.16, R6900P 1.3.2.134, R7000 1.0.11.123, R7000P 1.3.2.134, R7850 1.0.5.68, R7900 1.0.4.38, R8000 1.0.4.68, and RS400 1.5.0.68.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-40847
- [Exploit reference]https://blog.grimm-co.com/2021/09/mama-always-told-me-not-to-trust.html
- [Vendor advisory]https://kb.netgear.com/000064039/Security-Advisory-for-Remote-Code-Execution-on-Some-Routers-PSV-2021-0204
- [Exploit reference]https://blog.grimm-co.com/2021/09/mama-always-told-me-not-to-trust.html
- [Vendor advisory]https://kb.netgear.com/000064039/Security-Advisory-for-Remote-Code-Execution-on-Some-Routers-PSV-2021-0204
Related CVEs
Same vendor
- CVE-2021-41383 — setup.cgi on NETGEAR R6020 1.0.0.48 devices allows an admin to execute arbitrary shell commands via shell metacharacters in the ntp_serve... (7.2 HIGH)
- CVE-2021-41314 — Certain NETGEAR smart switches are affected by a \n injection in the web UI's password field, which - due to several faulty aspects of th... (8.8 HIGH)
- CVE-2021-40867 — Certain NETGEAR smart switches are affected by an authentication hijacking race-condition vulnerability by an unauthenticated attacker wh... (7.8 HIGH)
- CVE-2021-40866 — Certain NETGEAR smart switches are affected by a remote admin password change by an unauthenticated attacker via the (disabled by default... (9.8 CRITICAL)
- CVE-2021-38539 — Certain NETGEAR devices are affected by privilege escalation (6.3 MEDIUM)
Same CWE
- CVE-2026-9741 — A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryp... (6.5 MEDIUM)
- CVE-2026-45432 — This vulnerability exists in GX Earth ONT models due to the transmission of user credentials in plaintext over HTTP in its web management...
- CVE-2026-8874 — Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted ... (7.1 HIGH)
- CVE-2026-36610 — Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding (5.9 MEDIUM)
- CVE-2026-7666 — An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15 (3.1 LOW)