Cyber Resilience

CVE-2025-28219

CriticalRCE

Published: 28 March 2025

Published
28 March 2025
Modified
02 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1170 93.8th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-28219 is a critical-severity OS Command Injection (CWE-78) vulnerability in Netgear Dc112A Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Netgear DC112A firmware version 1.0.0.64 contains an OS command injection vulnerability tracked as CVE-2025-28219 and CWE-78. The flaw resides in the usb_adv.cgi endpoint, where the deviceName parameter supplied in a POST request is passed directly to a system binary without sanitization, enabling arbitrary command execution.

Unauthenticated remote attackers can exploit the issue over the network by sending a crafted POST request. Successful exploitation grants full control over the device, allowing arbitrary command execution with impacts to confidentiality, integrity, and availability, consistent with the CVSS 9.8 rating.

The sole reference is a technical analysis PDF hosted on GitHub that documents the vulnerable code path in sub_69600; no vendor advisory or patch information is provided in the available sources. The EPSS score has remained flat at 0.1170 with no observed rise after disclosure.

EU & UK References

Vulnerability details

Netgear DC112A V1.0.0.64 has an OS command injection vulnerability in the usb_adv.cgi, which allows remote attackers to execute arbitrary commands via parameter "deviceName" passed to the binary through a POST request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection in public-facing usb_adv.cgi enables remote unauthenticated exploitation of the web application (T1190) and direct execution of arbitrary Unix shell commands (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-12847Same vendor: Netgear
CVE-2024-54804Same vendor: Netgear
CVE-2024-54807Same vendor: Netgear
CVE-2022-40619Same vendor: Netgear
CVE-2024-54805Same vendor: Netgear
CVE-2024-54803Same vendor: Netgear
CVE-2024-54808Same vendor: Netgear
CVE-2024-54806Same vendor: Netgear
CVE-2024-54802Same vendor: Netgear
CVE-2025-50526Same vendor: Netgear

Affected Assets

netgear
dc112a firmware
1.0.0.64

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by requiring validation and sanitization of untrusted inputs like the deviceName parameter in usb_adv.cgi.

prevent

Addresses the vulnerability by identifying, prioritizing, and remediating the input validation flaw in Netgear DC112A firmware V1.0.0.64.

preventdetect

Boundary protection with web application firewalls monitors and blocks malicious POST requests containing command injection payloads to usb_adv.cgi.

References