cbcvebase.
CVE-2024-12847
published 2025-01-10

CVE-2024-12847: NETGEAR DGN1000 before 1.1.00.48 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can execute arbitrary operating…

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
28.99%
97.9th percentile
NETGEAR DGN1000 before 1.1.00.48 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can execute arbitrary operating system commands as root by sending crafted HTTP requests to the setup.cgi endpoint. This vulnerability has been observed to be exploited in the wild since at least 2017 and specifically by the Shadowserver Foundation on 2025-02-06 UTC.

Affected

2 ranges
VendorProductVersion rangeFixed in
netgeardgn1000< 1.1.00.481.1.00.48
netgeardgn1000_firmware< 1.1.00.481.1.00.48

Detection & IOCsextracted from sources · hover to see the quote

path/setup.cgi
url/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Netgear DGN Remote Code Execution (CVE-2024-12847)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd="; fast_pattern; startswith; content:"&curpath=/&currentsetting.htm=1"; endswith; http.header_names; to_lowercase; content:!"|0d 0a|referer|0d 0a|"; content:!"|0d 0a|user-agent|0d 0a|"; reference:url,exploit-db.com/exploits/25978; reference:cve,2024-12847; classtype:attempted-admin; sid:2034576; rev:4;)
  • Exploit requests use HTTP GET method with no Referer or User-Agent headers — absence of both headers is a strong anomaly signal for this attack.
  • The URI pattern starts with /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd= and ends with &curpath=/&currentsetting.htm=1 — both anchors (startswith/endswith) should be used for precise matching.
  • This vulnerability has been actively exploited in the wild since at least 2017; treat any matching traffic as high-confidence intrusion attempt.
  • The Metasploit module targets the same setup.cgi endpoint and also covers DGN2000v1 models — scope detection rules to both device families.
  • ·The Snort/Suricata rule (ET sid:2034576) targets inbound HTTP from EXTERNAL_NET to HOME_NET — ensure your sensor is positioned to inspect inbound HTTP to the router's management interface, which may be on a non-standard or internal-facing segment.
  • ·Affected firmware is DGN1000 versions before 1.1.00.48; DGN2000v1 is also affected per the Metasploit module but may not be covered by the same firmware version threshold.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.