Cyber Resilience

CVE-2024-54804

CriticalPublic PoCRCE

Published: 31 March 2025

Published
31 March 2025
Modified
17 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0364 88.1th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-54804 is a critical-severity Code Injection (CWE-94) vulnerability in Netgear Wnr854T Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Netgear WNR854T firmware version 1.5.2 for the North American market contains a command injection vulnerability tracked as CVE-2024-54804. The flaw resides in the post.cgi endpoint, which accepts an attacker-supplied value for the nvram parameter wan_hostname and then reboots the device, causing the supplied value to be executed as a system command. The issue is assigned CWE-94 and carries a CVSS 3.1 base score of 9.8.

An unauthenticated remote attacker can exploit the vulnerability by sending a single crafted HTTP request to the device. Successful exploitation grants arbitrary command execution with full privileges, allowing complete compromise of confidentiality, integrity, and availability without any user interaction.

The sole public reference is a technical write-up published at faultpoint.com that details eight similar issues in the same device. EPSS for the CVE rose from a low baseline to a peak of 0.1025 on 2026-03-14 before receding to its current value of 0.0364, indicating measurable post-disclosure exploitation interest that later subsided.

EU & UK References

Vulnerability details

Netgear WNR854T 1.5.2 (North America) is vulnerable to Command Injection. An attacker can send a specially crafted request to post.cgi, updating the nvram parameter wan_hostname and forcing a reboot. This will result in command injection.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The CVE describes unauthenticated remote command injection via the router's public web interface (post.cgi), directly enabling T1190 for initial access to a public-facing application and T1059.004 for arbitrary Unix shell command execution with elevated privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-54807Same product: Netgear Wnr854T
CVE-2024-54805Same product: Netgear Wnr854T
CVE-2024-54803Same product: Netgear Wnr854T
CVE-2024-54806Same product: Netgear Wnr854T
CVE-2024-54808Same product: Netgear Wnr854T
CVE-2024-54802Same product: Netgear Wnr854T
CVE-2024-54809Same product: Netgear Wnr854T
CVE-2024-12847Same vendor: Netgear
CVE-2025-28219Same vendor: Netgear
CVE-2022-40619Same vendor: Netgear

Affected Assets

netgear
wnr854t firmware
1.5.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly implements input validation mechanisms on the post.cgi nvram parameter to block command injection payloads.

prevent

Enforces authentication and authorization requirements to prevent unauthenticated access to the vulnerable post.cgi endpoint.

prevent

Requires timely remediation of the command injection flaw in post.cgi through patching or code correction.

References