CVE-2022-41545

The administrative web interface of a Netgear C7800 Router running firmware version 6.01.07 (and possibly others) authenticates users via basic authentication, with an HTTP header containing a base64 value of the plaintext username and password. Because the web server also does not utilize transport security by default, this renders the administrative credentials vulnerable to eavesdropping by an adversary during every authenticated request made by a client to the router over a WLAN, or a LAN, should the adversary be able to perform a man-in-the-middle attack.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:netgear:c7800_firmware:6.01.07:*:*:*:*:*:*:*
cpe:2.3:h:netgear:c7800:-:*:*:*:*:*:*:*

History

06 Jun 2025, 18:01

Type Values Removed Values Added
References () https://seclists.org/fulldisclosure/2025/Feb/12 - () https://seclists.org/fulldisclosure/2025/Feb/12 - Mailing List, Third Party Advisory
References () https://www.netgear.com/about/security/ - () https://www.netgear.com/about/security/ - Vendor Advisory
References () https://www.netgear.com/images/datasheet/networking/cablemodems/C7800.pdf - () https://www.netgear.com/images/datasheet/networking/cablemodems/C7800.pdf - Product
References () http://seclists.org/fulldisclosure/2025/Feb/12 - () http://seclists.org/fulldisclosure/2025/Feb/12 - Mailing List, Third Party Advisory
First Time Netgear c7800
Netgear c7800 Firmware
Netgear
CPE cpe:2.3:h:netgear:c7800:-:*:*:*:*:*:*:*
cpe:2.3:o:netgear:c7800_firmware:6.01.07:*:*:*:*:*:*:*

20 Mar 2025, 17:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 7.5
v2 : unknown
v3 : 6.4

18 Mar 2025, 00:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.4
v2 : unknown
v3 : 7.5

17 Mar 2025, 17:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 9.8
v2 : unknown
v3 : 6.4
CWE CWE-287 CWE-319

19 Feb 2025, 15:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8
CWE CWE-287
Summary
  • (es) La interfaz web administrativa de NetGear C7800 router con la versión de firmware 6.01.07 (y posiblemente otras) autentica a los usuarios mediante autenticación básica, con un encabezado HTTP que contiene un valor base64 del nombre de usuario y la contraseña en texto plano. Debido a que el servidor web tampoco utiliza seguridad de transporte de manera predeterminada, esto hace que las credenciales administrativas sean vulnerables a escuchas clandestinas por parte de un adversario durante cada solicitud autenticada que realiza un cliente al router a través de una red inalámbrica (WLAN) o una red local (LAN), en caso de que el adversario pueda realizar un ataque de intermediario.

18 Feb 2025, 18:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-02-18 18:15

Updated : 2025-06-06 18:01


NVD link : CVE-2022-41545

Mitre link : CVE-2022-41545

CVE.ORG link : CVE-2022-41545


JSON object : View

Products Affected

netgear

  • c7800_firmware
  • c7800
CWE
CWE-319

Cleartext Transmission of Sensitive Information