CVE-2019-19494
published 2020-01-09CVE-2019-19494: Broadcom based cable modems across multiple vendors are vulnerable to a buffer overflow, which allows a remote attacker to execute arbitrary code at the kernel…
PriorityP270high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
22.92%
97.5th percentile
Broadcom based cable modems across multiple vendors are vulnerable to a buffer overflow, which allows a remote attacker to execute arbitrary code at the kernel level via JavaScript run in a victim's browser. Examples of affected products include Sagemcom F@st 3890 prior to 50.10.21_T4, Sagemcom F@st 3890 prior to 05.76.6.3f, Sagemcom F@st 3686 3.428.0, Sagemcom F@st 3686 4.83.0, NETGEAR CG3700EMR 2.01.05, NETGEAR CG3700EMR 2.01.03, NETGEAR C6250EMR 2.01.05, NETGEAR C6250EMR 2.01.03, Technicolor TC7230 STEB 01.25, COMPAL 7284E 5.510.5.11, and COMPAL 7486E 5.510.5.11.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| compal | 7284e_firmware | — | — |
| compal | 7486e_firmware | — | — |
| netgear | c6250emr_firmware | — | — |
| netgear | c6250emr_firmware | — | — |
| netgear | cg3700emr_firmware | — | — |
| netgear | cg3700emr_firmware | — | — |
| sagemcom | f_st_3686_firmware | — | — |
| sagemcom | f_st_3686_firmware | — | — |
| sagemcom | f_st_3890_firmware | < 50.10.21_t4 | 50.10.21_t4 |
| sagemcom | f_st_3890_firmware | < 05.76.6.3f | 05.76.6.3f |
| technicolor | tc7230_steb_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered via JavaScript executing in a victim's browser, targeting the cable modem's Spectrum Analyzer WebSocket interface — monitor for unexpected WebSocket connections from browser processes to internal/LAN IP addresses on modem management ports. ↗
- →The attack vector is a buffer overflow against the cable modem's Spectrum Analyzer WebSocket endpoint; look for anomalously large or malformed WebSocket frames sent to modem management interfaces from internal hosts. ↗
- →A DoS condition (modem crash/reboot) on affected devices may indicate exploitation attempts; correlate modem reboots with browser-side JavaScript activity on LAN hosts. ↗
- ·Exploit payload differs per make, model, and firmware version, and also varies by ISP — a generic exploit or signature will not cover all affected devices. ↗
- ·Affected firmware versions span multiple vendors; ensure detection/patching scope covers all listed models: Sagemcom F@st 3890 prior to 50.10.21_T4, Sagemcom F@st 3890 prior to 05.76.6.3f, Sagemcom F@st 3686 3.428.0, Sagemcom F@st 3686 4.83.0, NETGEAR CG3700EMR 2.01.05, NETGEAR CG3700EMR 2.01.03, NETGEAR C6250EMR 2.01.05, NETGEAR C6250EMR 2.01.03, Technicolor TC7230 STEB 01.25, COMPAL 7284E 5.510.5.11, COMPAL 7486E 5.510.5.11. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
https://cablehaunt.comhttps://github.com/Lyrebirds/Cable-Haunt-Report/releases/download/2.4/report.pdfhttps://github.com/Lyrebirds/Fast8690-exploithttps://www.broadcom.comhttps://cablehaunt.comhttps://github.com/Lyrebirds/Cable-Haunt-Report/releases/download/2.4/report.pdfhttps://github.com/Lyrebirds/Fast8690-exploithttps://www.broadcom.com
2020-01-09
Published