CVE-2024-12847
Published: 10 January 2025
Summary
CVE-2024-12847 is a critical-severity OS Command Injection (CWE-78) vulnerability in Netgear Dgn1000 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the authentication bypass (CWE-306) by identifying and restricting critical actions like command execution on setup.cgi to only authenticated users.
Prevents command injection (CWE-78) by requiring validation and sanitization of crafted HTTP inputs to the vulnerable setup.cgi endpoint.
Remediates the specific flaw through timely firmware patching to version 1.1.00.48 or later, eliminating the vulnerability.
NVD Description
NETGEAR DGN1000 before 1.1.00.48 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can execute arbitrary operating system commands as root by sending crafted HTTP requests to the setup.cgi endpoint. This vulnerability has been observed to be…
more
exploited in the wild since at least 2017 and specifically by the Shadowserver Foundation on 2025-02-06 UTC.
Deeper analysisAI
CVE-2024-12847 is an authentication bypass vulnerability affecting NETGEAR DGN1000 router firmware versions before 1.1.00.48. It enables command injection through the setup.cgi endpoint, mapped to CWE-306 (Missing Authentication for Critical Function) and CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The issue allows remote execution of arbitrary operating system commands as root via crafted HTTP requests.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation grants full root-level command execution on the device, potentially leading to complete compromise, data theft, or use as a pivot in further attacks.
Advisories and related resources, including those from VulnCheck and Exploit-DB (exploits 25978 and 43055), along with a 2013 Bugtraq discussion, detail the issue but do not specify additional mitigations beyond upgrading to firmware version 1.1.00.48 or later.
This vulnerability has been observed in active exploitation in the wild since at least 2017, including scanning by the Shadowserver Foundation on 2025-02-06 UTC.
Details
- CWE(s)