CVE-2024-12847

Confirmed PUBLISHED

NETGEAR DGN setup.cgi OS Command Injection

NETGEAR · DGN1000

Not yet in CISA KEV

Exploited in the wild Active exploitation observed Virtual patch available

Recommended Action

Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.

Confidence
Confirmed
Exploitation Status
Active exploitation observed
Observed in Sensors
Yes
Attempts (30d)
145
Unique Attacker IPs
104
CISA KEV
Not yet in CISA KEV
Virtual Patch
Yes 3 targets
CVSS / EPSS
9.8 Critical EPSS 29.4%

At a Glance

NETGEAR DGN1000 before 1.1.00.48 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can execute arbitrary operating system commands as root by sending crafted HTTP requests to the setup.cgi endpoint. This vulnerability has been observed to be exploited in the wild since at least 2017 and specifically by the Shadowserver Foundation on 2025-02-06 UTC.

edge
CVE Published
Jan 10, 2025
Exploitation Reported
Jan 10, 2025
CVSS
9.8 Critical
EPSS
29.4%
Remote Low complexity No user interaction Unauthenticated

Affected Versions

Vendor Product Version Status
NETGEAR
DGN1000

0 to < 1.1.00.48

Affected

CVE References

Recommended Actions

  • Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.
  • Review sensor telemetry for request paths, attacker IPs, and payload patterns that may inform detection and exposure validation.
  • Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.