CVE-2024-54804
Published: 31 March 2025
Summary
CVE-2024-54804 is a critical-severity Code Injection (CWE-94) vulnerability in Netgear Wnr854T Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Netgear WNR854T firmware version 1.5.2 for the North American market contains a command injection vulnerability tracked as CVE-2024-54804. The flaw resides in the post.cgi endpoint, which accepts an attacker-supplied value for the nvram parameter wan_hostname and then reboots the device, causing the supplied value to be executed as a system command. The issue is assigned CWE-94 and carries a CVSS 3.1 base score of 9.8.
An unauthenticated remote attacker can exploit the vulnerability by sending a single crafted HTTP request to the device. Successful exploitation grants arbitrary command execution with full privileges, allowing complete compromise of confidentiality, integrity, and availability without any user interaction.
The sole public reference is a technical write-up published at faultpoint.com that details eight similar issues in the same device. EPSS for the CVE rose from a low baseline to a peak of 0.1025 on 2026-03-14 before receding to its current value of 0.0364, indicating measurable post-disclosure exploitation interest that later subsided.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54342
Vulnerability details
Netgear WNR854T 1.5.2 (North America) is vulnerable to Command Injection. An attacker can send a specially crafted request to post.cgi, updating the nvram parameter wan_hostname and forcing a reboot. This will result in command injection.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes unauthenticated remote command injection via the router's public web interface (post.cgi), directly enabling T1190 for initial access to a public-facing application and T1059.004 for arbitrary Unix shell command execution with elevated privileges.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly implements input validation mechanisms on the post.cgi nvram parameter to block command injection payloads.
Enforces authentication and authorization requirements to prevent unauthenticated access to the vulnerable post.cgi endpoint.
Requires timely remediation of the command injection flaw in post.cgi through patching or code correction.