CVE-2021-40847
CVE-2021-40847 is a high-severity vulnerability in Netgear R6400v2 Firmware with a CVSS 3.x base score of 8.1. Its EPSS exploit-prediction score of 10% places it in the 95th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-319.
Key facts
- Severity: High (CVSS 3.x base score 8.1)
- CVSS v2: 9.3
- EPSS exploit prediction: 10% (95th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-319
- Affected product: Netgear R6400v2 Firmware
- Published:
- Last modified:
Description
The update process of the Circle Parental Control Service on various NETGEAR routers allows remote attackers to achieve remote code execution as root via a MitM attack. While the parental controls themselves are not enabled by default on the routers, the Circle update daemon, circled, is enabled by default. This daemon connects to Circle and NETGEAR to obtain version information and updates to the circled daemon and its filtering database. However, database updates from NETGEAR are unsigned and downloaded via cleartext HTTP. As such, an attacker with the ability to perform a MitM attack on the device can respond to circled update requests with a crafted, compressed database file, the extraction of which gives the attacker the ability to overwrite executable files with attacker-controlled code. This affects R6400v2 1.0.4.106, R6700 1.0.2.16, R6700v3 1.0.4.106, R6900 1.0.2.16, R6900P 1.3.2.134, R7000 1.0.11.123, R7000P 1.3.2.134, R7850 1.0.5.68, R7900 1.0.4.38, R8000 1.0.4.68, and RS400 1.5.0.68.
Frequently asked questions
- What is CVE-2021-40847?
- The update process of the Circle Parental Control Service on various NETGEAR routers allows remote attackers to achieve remote code execution as root via a MitM attack. While the parental controls themselves are not enabled by default on the routers, the Circle update daemon, circled, is enabled by default. This daemon connects to Circle and NETGEAR to obtain version information and updates to the circled daemon and its filtering database. However, database updates from NETGEAR are unsigned and downloaded via cleartext HTTP. As such, an attacker with the ability to perform a MitM attack on the device can respond to circled update requests with a crafted, compressed database file, the extraction of which gives the attacker the ability to overwrite executable files with attacker-controlled code. This affects R6400v2 1.0.4.106, R6700 1.0.2.16, R6700v3 1.0.4.106, R6900 1.0.2.16, R6900P 1.3.2.134, R7000 1.0.11.123, R7000P 1.3.2.134, R7850 1.0.5.68, R7900 1.0.4.38, R8000 1.0.4.68, and RS400 1.5.0.68.
- How severe is CVE-2021-40847?
- CVE-2021-40847 has a CVSS 3.x base score of 8.1, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-40847 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 10% (95th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-40847?
- CVE-2021-40847 primarily affects Netgear R6400v2 Firmware. In total, 11 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-40847?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2021-40847 published?
- CVE-2021-40847 was published on 2021-09-21 and last updated on 2026-06-17.
References
- https://blog.grimm-co.com/2021/09/mama-always-told-me-not-to-trust.html
- https://kb.netgear.com/000064039/Security-Advisory-for-Remote-Code-Execution-on-Some-Routers-PSV-2021-0204
Affected products (11)
- cpe:2.3:o:netgear:r6400v2_firmware:1.0.4.106:*:*:*:*:*:*:*
- cpe:2.3:o:netgear:r6700_firmware:1.0.2.16:*:*:*:*:*:*:*
- cpe:2.3:o:netgear:r6700v3_firmware:1.0.4.106:*:*:*:*:*:*:*
- cpe:2.3:o:netgear:r6900_firmware:1.0.2.16:*:*:*:*:*:*:*
- cpe:2.3:o:netgear:r6900p_firmware:1.3.2.134:*:*:*:*:*:*:*
- cpe:2.3:o:netgear:r7000_firmware:1.0.11.123:*:*:*:*:*:*:*
- cpe:2.3:o:netgear:r7000p_firmware:1.3.2.134:*:*:*:*:*:*:*
- cpe:2.3:o:netgear:r7850_firmware:1.0.5.68:*:*:*:*:*:*:*
- cpe:2.3:o:netgear:r7900_firmware:1.0.4.38:*:*:*:*:*:*:*
- cpe:2.3:o:netgear:r8000_firmware:1.0.4.68:*:*:*:*:*:*:*
- cpe:2.3:o:netgear:rs400_firmware:1.5.0.68:*:*:*:*:*:*:*
More vulnerabilities in Netgear R6400v2 Firmware
- CVE-2023-36187 — Critical (CVSS 9.8): Buffer Overflow vulnerability in NETGEAR R6400v2 before version 1.0.4.118, allows remote unauthenticated attackers to…
- CVE-2021-45617 — Critical (CVSS 9.8): Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects CBR40 before…
- CVE-2020-35795 — Critical (CVSS 9.8): Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. This affects AC2100 before…
- CVE-2021-45622 — Critical (CVSS 9.6): Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects CBR40 before…
- CVE-2021-45621 — Critical (CVSS 9.6): Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects CBR40 before…
- CVE-2021-45620 — Critical (CVSS 9.6): Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects CBR40 before…
All CVEs affecting Netgear R6400v2 Firmware →
Other CWE-319 (Cleartext Transmission of Sensitive Information) vulnerabilities
- CVE-2025-4378 — Critical (CVSS 10.0): Cleartext Transmission of Sensitive Information, Use of Hard-coded Credentials vulnerability in Ataturk University…
- CVE-2025-47419 — Critical (CVSS 10.0): Cleartext Transmission of Sensitive Information vulnerability in Crestron Automate VX allows Sniffing Network…
- CVE-2026-48902 — Critical (CVSS 9.8): The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't…
- CVE-2025-34271 — Critical (CVSS 9.8): Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the cluster manager component when…
- CVE-2025-32880 — Critical (CVSS 9.8): An issue was discovered on COROS PACE 3 devices through 3.0808.0. It implements a function to connect the watch to a…
- CVE-2025-26199 — Critical (CVSS 9.8): CloudClassroom-PHP-Project v1.0 is affected by an insecure credential transmission vulnerability. The application…
Browse all CWE-319 (Cleartext Transmission of Sensitive Information) vulnerabilities →