CVE-2024-54804
Published: 31 March 2025
Summary
CVE-2024-54804 is a critical-severity Code Injection (CWE-94) vulnerability in Netgear Wnr854T Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly implements input validation mechanisms on the post.cgi nvram parameter to block command injection payloads.
Enforces authentication and authorization requirements to prevent unauthenticated access to the vulnerable post.cgi endpoint.
Requires timely remediation of the command injection flaw in post.cgi through patching or code correction.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes unauthenticated remote command injection via the router's public web interface (post.cgi), directly enabling T1190 for initial access to a public-facing application and T1059.004 for arbitrary Unix shell command execution with elevated privileges.
NVD Description
Netgear WNR854T 1.5.2 (North America) is vulnerable to Command Injection. An attacker can send a specially crafted request to post.cgi, updating the nvram parameter wan_hostname and forcing a reboot. This will result in command injection.
Deeper analysisAI
CVE-2024-54804 is a command injection vulnerability (CWE-94) affecting the Netgear WNR854T router running firmware version 1.5.2 for North America. The flaw exists in the post.cgi script, where an attacker can send a specially crafted HTTP request to update the nvram parameter wan_hostname. This action forces a router reboot and triggers command injection during the process. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
An unauthenticated attacker with network access to the router can exploit this vulnerability remotely with low complexity and no user interaction required. By crafting and sending the malicious request to post.cgi, the attacker injects arbitrary commands executed with elevated privileges during the reboot, potentially achieving full compromise of the device, including data theft, modification of configurations, or disruption of network services.
Further details on the vulnerability, including reproduction steps, are available in the advisory at https://faultpoint.com/post/2025-03-25-8-cves-on-the-wnr854t-junkyard/#804. No vendor patches or specific mitigations are detailed in the provided information.
Details
- CWE(s)