Cyber Resilience

CVE-2024-54807

CriticalPublic PoCRCE

Published: 31 March 2025

Published
31 March 2025
Modified
17 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0230 85.1th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-54807 is a critical-severity Code Injection (CWE-94) vulnerability in Netgear Wnr854T Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability CVE-2024-54807 is a command injection issue in the UPNP service of Netgear WNR854T firmware version 1.5.2 (North America). It occurs in the addmap_exec function, which takes the NewInternalClient parameter supplied in an AddPortMapping SOAPAction and passes it directly into a system call without sanitization, corresponding to CWE-94.

An unauthenticated remote attacker can exploit the flaw by sending a specially crafted SOAPAction request to the router's WANIPConn1 service over the network, achieving arbitrary command execution with full impact on confidentiality, integrity, and availability.

The single reference URL provides no advisory or patch information on mitigation steps. The EPSS score rose from low values to a peak of 0.0575 on 2026-03-14 before receding to the current 0.0230, indicating measurable post-disclosure exploitation interest that later subsided.

EU & UK References

Vulnerability details

In Netgear WNR854T 1.5.2 (North America), the UPNP service is vulnerable to command injection in the function addmap_exec which parses the NewInternalClient parameter of the AddPortMapping SOAPAction into a system call without sanitation. An attacker can send a specially crafted…

more

SOAPAction request for AddPortMapping via the router's WANIPConn1 service to achieve arbitrary command execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Remote command injection in public-facing UPnP service enables arbitrary command execution on the router via unsanitized system calls, directly mapping to T1190 (exploit public-facing application) and T1059.004 (Unix shell command execution).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-54804Same product: Netgear Wnr854T
CVE-2024-54805Same product: Netgear Wnr854T
CVE-2024-54803Same product: Netgear Wnr854T
CVE-2024-54806Same product: Netgear Wnr854T
CVE-2024-54808Same product: Netgear Wnr854T
CVE-2024-54802Same product: Netgear Wnr854T
CVE-2024-54809Same product: Netgear Wnr854T
CVE-2024-12847Same vendor: Netgear
CVE-2025-28219Same vendor: Netgear
CVE-2022-40619Same vendor: Netgear

Affected Assets

netgear
wnr854t firmware
1.5.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires input validation and sanitization at entry points, directly preventing command injection via the unsanitized NewInternalClient parameter in the UPnP AddPortMapping SOAPAction.

prevent

SI-2 mandates timely identification, testing, and installation of flaw remediation updates, directly addressing the command injection vulnerability through firmware patching.

prevent

CM-7 enforces least functionality by configuring systems to disable unnecessary services like UPnP, preventing exposure to the vulnerable WANIPConn1 AddPortMapping endpoint.

References