CVE-2024-12847
Published: 10 January 2025
Summary
CVE-2024-12847 is a critical-severity OS Command Injection (CWE-78) vulnerability in Netgear Dgn1000 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).
Deeper analysis
NETGEAR DGN1000 devices running firmware versions before 1.1.00.48 contain an authentication bypass vulnerability that affects the setup.cgi endpoint. The flaw stems from missing authentication checks combined with improper input handling, classified under CWE-306 and CWE-78, and carries a CVSS 3.1 score of 9.8 reflecting network-accessible command execution without credentials.
A remote unauthenticated attacker can exploit the issue by sending specially crafted HTTP requests to setup.cgi, resulting in arbitrary operating system command execution with root privileges on the affected device.
The vulnerability has been observed in active exploitation since at least 2017, including recent activity by the Shadowserver Foundation on 2025-02-06 UTC. Its EPSS score stands at a current and peak value of 0.7897, indicating sustained attacker interest without a documented post-disclosure climb from a low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51148
Vulnerability details
NETGEAR DGN1000 before 1.1.00.48 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can execute arbitrary operating system commands as root by sending crafted HTTP requests to the setup.cgi endpoint. This vulnerability has been observed to be…
more
exploited in the wild since at least 2017 and specifically by the Shadowserver Foundation on 2025-02-06 UTC.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated command injection on public-facing router web endpoint (setup.cgi) enables T1190 exploitation and Unix shell command execution as root.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the authentication bypass (CWE-306) by identifying and restricting critical actions like command execution on setup.cgi to only authenticated users.
Prevents command injection (CWE-78) by requiring validation and sanitization of crafted HTTP inputs to the vulnerable setup.cgi endpoint.
Remediates the specific flaw through timely firmware patching to version 1.1.00.48 or later, eliminating the vulnerability.