cbcvebase.
CVE-2019-19494
published 2020-01-09

CVE-2019-19494: Broadcom based cable modems across multiple vendors are vulnerable to a buffer overflow, which allows a remote attacker to execute arbitrary code at the kernel…

PriorityP270high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
22.92%
97.5th percentile
Broadcom based cable modems across multiple vendors are vulnerable to a buffer overflow, which allows a remote attacker to execute arbitrary code at the kernel level via JavaScript run in a victim's browser. Examples of affected products include Sagemcom F@st 3890 prior to 50.10.21_T4, Sagemcom F@st 3890 prior to 05.76.6.3f, Sagemcom F@st 3686 3.428.0, Sagemcom F@st 3686 4.83.0, NETGEAR CG3700EMR 2.01.05, NETGEAR CG3700EMR 2.01.03, NETGEAR C6250EMR 2.01.05, NETGEAR C6250EMR 2.01.03, Technicolor TC7230 STEB 01.25, COMPAL 7284E 5.510.5.11, and COMPAL 7486E 5.510.5.11.

Affected

11 ranges
VendorProductVersion rangeFixed in
compal7284e_firmware
compal7486e_firmware
netgearc6250emr_firmware
netgearc6250emr_firmware
netgearcg3700emr_firmware
netgearcg3700emr_firmware
sagemcomf_st_3686_firmware
sagemcomf_st_3686_firmware
sagemcomf_st_3890_firmware< 50.10.21_t450.10.21_t4
sagemcomf_st_3890_firmware< 05.76.6.3f05.76.6.3f
technicolortc7230_steb_firmware

Detection & IOCsextracted from sources · hover to see the quote

port8080
  • The vulnerability is triggered via JavaScript executing in a victim's browser, targeting the cable modem's Spectrum Analyzer WebSocket interface — monitor for unexpected WebSocket connections from browser processes to internal/LAN IP addresses on modem management ports.
  • The attack vector is a buffer overflow against the cable modem's Spectrum Analyzer WebSocket endpoint; look for anomalously large or malformed WebSocket frames sent to modem management interfaces from internal hosts.
  • A DoS condition (modem crash/reboot) on affected devices may indicate exploitation attempts; correlate modem reboots with browser-side JavaScript activity on LAN hosts.
  • ·Exploit payload differs per make, model, and firmware version, and also varies by ISP — a generic exploit or signature will not cover all affected devices.
  • ·Affected firmware versions span multiple vendors; ensure detection/patching scope covers all listed models: Sagemcom F@st 3890 prior to 50.10.21_T4, Sagemcom F@st 3890 prior to 05.76.6.3f, Sagemcom F@st 3686 3.428.0, Sagemcom F@st 3686 4.83.0, NETGEAR CG3700EMR 2.01.05, NETGEAR CG3700EMR 2.01.03, NETGEAR C6250EMR 2.01.05, NETGEAR C6250EMR 2.01.03, Technicolor TC7230 STEB 01.25, COMPAL 7284E 5.510.5.11, COMPAL 7486E 5.510.5.11.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.