cbcvebase.
CVE-2013-10060
published 2025-08-01

CVE-2013-10060: An authenticated OS command injection vulnerability exists in Netgear routers (tested on the DGN2200B model) firmware versions 1.0.0.36 and prior via the…

PriorityP261high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
4.55%
90.4th percentile
An authenticated OS command injection vulnerability exists in Netgear routers (tested on the DGN2200B model) firmware versions 1.0.0.36 and prior via the pppoe.cgi endpoint. A remote attacker with valid credentials can execute arbitrary commands via crafted input to the pppoe_username parameter. This flaw allows full compromise of the device and may persist across reboots unless configuration is restored.

Affected

2 ranges
VendorProductVersion rangeFixed in
netgeardgn2200b<= 1.0.0.36
netgeardgn2200b_firmware<= 1.1.0.36

Detection & IOCsextracted from sources · hover to see the quote

url/pppoe.cgi
otherpppoe_username
pathmodules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb
  • Monitor HTTP requests targeting the /pppoe.cgi endpoint on Netgear DGN2200B devices, particularly POST requests containing shell metacharacters or command sequences in the pppoe_username parameter.
  • Since the vulnerability is a blind OS command injection, look for out-of-band indicators such as unexpected ICMP ping traffic originating from the router to external/attacker-controlled hosts as a sign of exploitation testing.
  • Alert on successful authentication to the Netgear DGN2200B web interface using default credentials (admin/admin or admin/password) followed by requests to pppoe.cgi.
  • Flag firmware versions 1.0.0.36 and prior on Netgear DGN2200B devices as vulnerable; inventory and prioritize these for patching or network isolation.
  • ·Exploitation overwrites parts of the PPPoE configuration on the device; defenders should verify PPPoE settings integrity after any suspected exploitation event.
  • ·The vulnerability may persist across reboots if the malicious configuration is not explicitly restored, meaning a reboot alone is insufficient for remediation.
  • ·No command output is returned to the attacker due to the blind nature of the injection; detection cannot rely on response-body anomalies and must focus on out-of-band signals or configuration changes.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.