CVE-2024-12847: NETGEAR Router Vulnerability Actively Exploited Since 2017

ISGroup Cybersecurity

CVE-2024-12847 is a critical vulnerability (CVSS 9.8) affecting NETGEAR routers, which has been actively exploited in real-world environments since at least 2017. The flaw allows remote attackers to gain unauthorized access to vulnerable devices without the need for authentication, leading to significant risks such as full device control, network compromise, and data exposure. The release of a Metasploit module further increases the likelihood of widespread exploitation.

Affected devices:

  • NETGEAR DGN1000: Firmware versions below 1.1.00.48
  • NETGEAR DGN2200 v1: All firmware versions (no longer supported)
    Other devices may be affected, but testing is not complete.
ProductNetgear-Router
Date2025-01-13 13:20:19
Information
  • Fix Available
  • Active Exploitation

Technical Summary

The vulnerability stems from inadequate authentication checks in the device’s embedded web server. Specifically, URLs containing the substring currentsetting.htm bypass authentication checks, allowing interaction with sensitive backend services. Attackers can exploit the setup.cgi endpoint to execute arbitrary commands. For example:

http://<target-ip-address>/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=cat+/www/.htpasswd&curpath=/&currentsetting.htm=1

This manipulated URL allows an attacker to retrieve the /www/.htpasswd file containing the administrator’s password in plain text. The syscmd function of the setup.cgi script executes arbitrary commands, making remote code execution trivial.

Recommendations

  • NETGEAR DGN1000: Update immediately to firmware version 1.1.00.48 or later.
  • NETGEAR DGN2200 v1: Since support has been discontinued, users are advised to replace the device with a newer, supported model.
  • General best practices:
  • Disable remote management unless strictly necessary.
  • Restrict public access to router management interfaces via firewall.
  • Regularly update router firmware and verify network configuration.

[Callforaction-THREAT-Footer]