Cyber Resilience

CVE-2024-54803

CriticalPublic PoCRCE

Published: 31 March 2025

Published
31 March 2025
Modified
22 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0364 88.1th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-54803 is a critical-severity Code Injection (CWE-94) vulnerability in Netgear Wnr854T Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Netgear WNR854T firmware version 1.5.2 for the North American market is affected by a command injection vulnerability. The flaw resides in the post.cgi handler, which processes an nvram parameter named pppoe_peer_mac without adequate input validation, enabling an attacker to inject operating-system commands that execute after a device reboot.

An unauthenticated remote attacker can exploit the issue by sending a single specially crafted HTTP request over the network. Successful exploitation grants the attacker full control over the router, including the ability to execute arbitrary commands with the privileges of the web-management process, resulting in complete compromise of confidentiality, integrity, and availability.

The EPSS score for this CVE rose from low values to a peak of 0.1025 on 2026-03-14 before receding, indicating that exploitation interest emerged after public disclosure and that the vulnerability warrants renewed attention from defenders.

EU & UK References

Vulnerability details

Netgear WNR854T 1.5.2 (North America) is vulnerable to Command Injection. An attacker can send a specially crafted request to post.cgi, updating the nvram parameter pppoe_peer_mac and forcing a reboot. This will result in command injection.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The CVE describes remote unauthenticated command injection via a public-facing web script (post.cgi) on a router, directly enabling T1190 for initial access and T1059.004 for arbitrary Unix shell command execution on the device.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-54804Same product: Netgear Wnr854T
CVE-2024-54807Same product: Netgear Wnr854T
CVE-2024-54805Same product: Netgear Wnr854T
CVE-2024-54806Same product: Netgear Wnr854T
CVE-2024-54808Same product: Netgear Wnr854T
CVE-2024-54802Same product: Netgear Wnr854T
CVE-2024-54809Same product: Netgear Wnr854T
CVE-2024-12847Same vendor: Netgear
CVE-2025-28219Same vendor: Netgear
CVE-2022-40619Same vendor: Netgear

Affected Assets

netgear
wnr854t firmware
1.5.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by requiring validation of untrusted inputs like the pppoe_peer_mac parameter in post.cgi against expected format and content.

prevent

Enforces approved authorizations, preventing unauthenticated remote access to sensitive NVRAM update functions in post.cgi that enable the injection.

prevent

Requires timely remediation of the specific command injection flaw in the router firmware via patching or updates.

References