CVE-2024-54807
Published: 31 March 2025
Summary
CVE-2024-54807 is a critical-severity Code Injection (CWE-94) vulnerability in Netgear Wnr854T Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability CVE-2024-54807 is a command injection issue in the UPNP service of Netgear WNR854T firmware version 1.5.2 (North America). It occurs in the addmap_exec function, which takes the NewInternalClient parameter supplied in an AddPortMapping SOAPAction and passes it directly into a system call without sanitization, corresponding to CWE-94.
An unauthenticated remote attacker can exploit the flaw by sending a specially crafted SOAPAction request to the router's WANIPConn1 service over the network, achieving arbitrary command execution with full impact on confidentiality, integrity, and availability.
The single reference URL provides no advisory or patch information on mitigation steps. The EPSS score rose from low values to a peak of 0.0575 on 2026-03-14 before receding to the current 0.0230, indicating measurable post-disclosure exploitation interest that later subsided.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-9056
Vulnerability details
In Netgear WNR854T 1.5.2 (North America), the UPNP service is vulnerable to command injection in the function addmap_exec which parses the NewInternalClient parameter of the AddPortMapping SOAPAction into a system call without sanitation. An attacker can send a specially crafted…
more
SOAPAction request for AddPortMapping via the router's WANIPConn1 service to achieve arbitrary command execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote command injection in public-facing UPnP service enables arbitrary command execution on the router via unsanitized system calls, directly mapping to T1190 (exploit public-facing application) and T1059.004 (Unix shell command execution).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires input validation and sanitization at entry points, directly preventing command injection via the unsanitized NewInternalClient parameter in the UPnP AddPortMapping SOAPAction.
SI-2 mandates timely identification, testing, and installation of flaw remediation updates, directly addressing the command injection vulnerability through firmware patching.
CM-7 enforces least functionality by configuring systems to disable unnecessary services like UPnP, preventing exposure to the vulnerable WANIPConn1 AddPortMapping endpoint.