CVE-2024-54807
Published: 31 March 2025
Summary
CVE-2024-54807 is a critical-severity Code Injection (CWE-94) vulnerability in Netgear Wnr854T Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires input validation and sanitization at entry points, directly preventing command injection via the unsanitized NewInternalClient parameter in the UPnP AddPortMapping SOAPAction.
SI-2 mandates timely identification, testing, and installation of flaw remediation updates, directly addressing the command injection vulnerability through firmware patching.
CM-7 enforces least functionality by configuring systems to disable unnecessary services like UPnP, preventing exposure to the vulnerable WANIPConn1 AddPortMapping endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote command injection in public-facing UPnP service enables arbitrary command execution on the router via unsanitized system calls, directly mapping to T1190 (exploit public-facing application) and T1059.004 (Unix shell command execution).
NVD Description
In Netgear WNR854T 1.5.2 (North America), the UPNP service is vulnerable to command injection in the function addmap_exec which parses the NewInternalClient parameter of the AddPortMapping SOAPAction into a system call without sanitation. An attacker can send a specially crafted…
more
SOAPAction request for AddPortMapping via the router's WANIPConn1 service to achieve arbitrary command execution.
Deeper analysisAI
CVE-2024-54807 is a command injection vulnerability (CWE-94) affecting the UPnP service in Netgear WNR854T routers running firmware version 1.5.2 for North America. The flaw occurs in the addmap_exec function, which parses the NewInternalClient parameter from the AddPortMapping SOAPAction without sanitization before incorporating it into a system call, enabling arbitrary command execution.
The vulnerability can be exploited remotely by an unauthenticated attacker over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By sending a specially crafted SOAPAction request for AddPortMapping via the router's WANIPConn1 service, the attacker achieves arbitrary command execution on the device.
Details on mitigation, including any patches or workarounds, are available in the advisory at https://faultpoint.com/post/2025-03-25-8-cves-on-the-wnr854t-junkyard/#807.
Details
- CWE(s)