Cyber Resilience

CVE-2024-35520

High

Published: 14 October 2024

Published
14 October 2024
Modified
16 October 2024
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0536 90.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-35520 is a high-severity Command Injection (CWE-77) vulnerability in Netgear R7000 Firmware. Its CVSS base score is 8.4 (High).

Operationally, ranked in the top 9.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Netgear R7000 firmware version 1.0.11.136 is affected by a command-injection flaw (CWE-77) in the RMT_invite.cgi endpoint. The vulnerability is triggered when an attacker supplies a crafted device_name2 parameter, allowing arbitrary operating-system commands to be executed on the device.

Exploitation requires adjacent-network access and high privileges, corresponding to the CVSS vector AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. An authenticated administrator on the local network can therefore achieve full control over the router, including the ability to read or modify configuration data, install persistent malware, or disrupt network services.

The referenced Netgear security advisory PSV-2023-0154 describes the issue as post-authentication command injection and directs users to updated firmware that eliminates the vulnerable parameter handling in RMT_invite.cgi.

EPSS remains flat at 0.0536 with no upward movement since disclosure, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

Netgear R7000 1.0.11.136 is vulnerable to Command Injection in RMT_invite.cgi via device_name2 parameter.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

netgear
r7000 firmware
1.0.11.136

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References