Cyber Resilience

CVE-2024-12847

CriticalPublic PoCRCE

Published: 10 January 2025

Published
10 January 2025
Modified
19 December 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7897 99.1th percentile
Risk Priority 67 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12847 is a critical-severity OS Command Injection (CWE-78) vulnerability in Netgear Dgn1000 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).

Deeper analysis

NETGEAR DGN1000 devices running firmware versions before 1.1.00.48 contain an authentication bypass vulnerability that affects the setup.cgi endpoint. The flaw stems from missing authentication checks combined with improper input handling, classified under CWE-306 and CWE-78, and carries a CVSS 3.1 score of 9.8 reflecting network-accessible command execution without credentials.

A remote unauthenticated attacker can exploit the issue by sending specially crafted HTTP requests to setup.cgi, resulting in arbitrary operating system command execution with root privileges on the affected device.

The vulnerability has been observed in active exploitation since at least 2017, including recent activity by the Shadowserver Foundation on 2025-02-06 UTC. Its EPSS score stands at a current and peak value of 0.7897, indicating sustained attacker interest without a documented post-disclosure climb from a low baseline.

EU & UK References

Vulnerability details

NETGEAR DGN1000 before 1.1.00.48 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can execute arbitrary operating system commands as root by sending crafted HTTP requests to the setup.cgi endpoint. This vulnerability has been observed to be…

more

exploited in the wild since at least 2017 and specifically by the Shadowserver Foundation on 2025-02-06 UTC.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Direct remote unauthenticated command injection on public-facing router web endpoint (setup.cgi) enables T1190 exploitation and Unix shell command execution as root.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-28219Same vendor: Netgear
CVE-2024-54807Same vendor: Netgear
CVE-2024-54805Same vendor: Netgear
CVE-2024-54804Same vendor: Netgear
CVE-2024-54806Same vendor: Netgear
CVE-2022-40619Same vendor: Netgear
CVE-2024-54808Same vendor: Netgear
CVE-2025-50526Same vendor: Netgear
CVE-2024-54803Same vendor: Netgear
CVE-2024-54802Same vendor: Netgear

Affected Assets

netgear
dgn1000 firmware
≤ 1.1.00.48

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the authentication bypass (CWE-306) by identifying and restricting critical actions like command execution on setup.cgi to only authenticated users.

prevent

Prevents command injection (CWE-78) by requiring validation and sanitization of crafted HTTP inputs to the vulnerable setup.cgi endpoint.

prevent

Remediates the specific flaw through timely firmware patching to version 1.1.00.48 or later, eliminating the vulnerability.

References