CVE-2024-54803
Published: 31 March 2025
Summary
CVE-2024-54803 is a critical-severity Code Injection (CWE-94) vulnerability in Netgear Wnr854T Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection by requiring validation of untrusted inputs like the pppoe_peer_mac parameter in post.cgi against expected format and content.
Enforces approved authorizations, preventing unauthenticated remote access to sensitive NVRAM update functions in post.cgi that enable the injection.
Requires timely remediation of the specific command injection flaw in the router firmware via patching or updates.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes remote unauthenticated command injection via a public-facing web script (post.cgi) on a router, directly enabling T1190 for initial access and T1059.004 for arbitrary Unix shell command execution on the device.
NVD Description
Netgear WNR854T 1.5.2 (North America) is vulnerable to Command Injection. An attacker can send a specially crafted request to post.cgi, updating the nvram parameter pppoe_peer_mac and forcing a reboot. This will result in command injection.
Deeper analysisAI
CVE-2024-54803 is a command injection vulnerability (CWE-94) in the Netgear WNR854T router version 1.5.2 for North America. The flaw occurs in the post.cgi script, where an attacker can send a specially crafted HTTP request to update the nvram parameter pppoe_peer_mac, triggering a forced reboot that results in command injection. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.
An unauthenticated attacker with network access to the router can exploit this vulnerability remotely with low complexity and no user interaction required. By crafting a malicious request to post.cgi, the attacker achieves arbitrary command injection during the reboot process, enabling potential full device compromise, execution of unauthorized commands, configuration manipulation, data exfiltration, or persistent denial of service.
Mitigation details are available in the referenced advisory at https://faultpoint.com/post/2025-03-25-8-cves-on-the-wnr854t-junkyard/#803, published prior to the CVE assignment on 2025-03-31. Security practitioners should consult this source for patching guidance or workarounds specific to the affected firmware.
Details
- CWE(s)