CVE-2024-12847: NETGEAR DGN setup.cgi OS Command Injection

9.8 CVSS

Description

NETGEAR DGN1000 before 1.1.00.48 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can execute arbitrary operating system commands as root by sending crafted HTTP requests to the setup.cgi endpoint. This vulnerability has been exploited in the wild since at least 2017.

Classification

CVE ID: CVE-2024-12847

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.8

Affected Products

Vendor: NETGEAR

Product: DGN1000

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.08% (probability of being exploited)

EPSS Percentile: 38.14% (scored less or equal to compared to others)

EPSS Date: 2025-02-08 (when was this score calculated)

References

https://seclists.org/bugtraq/2013/Jun/8
https://www.exploit-db.com/exploits/25978
https://www.exploit-db.com/exploits/43055
https://vulncheck.com/advisories/netgear-dgn

Timeline

2025-01-11 00:30:18 UTC
CVE

NETGEAR DGN setup.cgi OS Command Injection