CVE-2024-30568
published 2024-04-03CVE-2024-30568: Netgear R6850 1.1.0.88 was discovered to contain a command injection vulnerability via the c4-IPAddr parameter.
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
47.20%
98.7th percentile
Netgear R6850 1.1.0.88 was discovered to contain a command injection vulnerability via the c4-IPAddr parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netgear | r6850_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/setup.cgi
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Netgear R6850 Command Injection via c4_IPAddr Parameter Attempt (CVE-2024-30568)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/setup.cgi|3f|"; startswith; http.request_body; content:"todo|3d|ping_test"; fast_pattern; content:"c4_IPAddr|3d|"; pcre:"/^.*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24)|(?:\x26|%26){2})+/R"; content:"next_file|3d|diagping.htm"; reference:cve,2024-30568; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-30568.yaml; classtype:attempted-admin; sid:2061410; rev:1; metadata:affected_product Netgear_Router, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_04_09, cve CVE_2024_30568, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Exploit targets HTTP POST to /setup.cgi with body parameters todo=ping_test and c4_IPAddr containing shell metacharacters (;, newline, backtick, |, $, &&) followed by next_file=diagping.htm ↗
- →The Snort/Suricata PCRE pattern for injection detection in c4_IPAddr body parameter is: /^.*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24)|(?:\x26|%26){2})+/R — matches URL-encoded or raw shell metacharacters after the parameter value
- →Exploitation is unauthenticated; no session cookie or authentication header is required. Detect POST requests to /setup.cgi from unauthenticated sources.
- →Out-of-band callback (DNS/HTTP) to an attacker-controlled server is the primary indicator of successful exploitation; monitor for unexpected outbound DNS/HTTP from router management IPs.
- →FOFA query for identifying exposed targets: app="NETGEAR" && "R6850"
- ·Vulnerability is only confirmed on firmware version V1.1.0.88; other versions are not listed as affected.
- ·The Snort rule (sid:2061410) is scoped to plaintext traffic only; TLS-wrapped management interfaces will not be detected by this rule.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Netgear R6850 Command Injection via c4_IPAddr Parameter Attempt (CVE-2024-30568)
suricata·2025-04-09·CVSS 9.8
CVE-2024-30568 [CRITICAL] ET WEB_SPECIFIC_APPS Netgear R6850 Command Injection via c4_IPAddr Parameter Attempt (CVE-2024-30568)
ET WEB_SPECIFIC_APPS Netgear R6850 Command Injection via c4_IPAddr Parameter Attempt (CVE-2024-30568)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Netgear R6850 Command Injection via c4_IPAddr Parameter Attempt (CVE-2024-30568)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/setup.cgi|3f|"; startswith; http.request_body; content:"todo|3d|ping_test"; fast_pattern; content:"c4_IPAddr|3d|"; pcre:"/^.*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24)|(?:\x26|%26){2})+/R"; content:"next_file|3d|diagping.htm"; reference:cve,2024-30568; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-30568.yaml; classtype:attempted-admin; sid:2061410; rev:1; metadata:affected_product Ne
Nuclei
Netgear R6850 V1.1.0.88 - Command Injection
nuclei·CVSS 9.8
CVE-2024-30568 [CRITICAL] Netgear R6850 V1.1.0.88 - Command Injection
Netgear R6850 V1.1.0.88 - Command Injection
Netgear R6850 router firmware version V1.1.0.88 suffers from a command injection vulnerability in the ping_test functionality. An unauthenticated attacker can inject arbitrary system commands through the c4_IPAddr parameter, resulting in remote code execution as root.
Template:
id: CVE-2024-30568
info:
name: Netgear R6850 V1.1.0.88 - Command Injection
author: ritikchaddha
severity: critical
description: |
Netgear R6850 router firmware version V1.1.0.88 suffers from a command injection vulnerability in the ping_test functionality. An unauthenticated attacker can inject arbitrary system commands through the c4_IPAddr parameter, resulting in remote code execution as root.
impact: |
Attackers can execute arbitrary commands on the router, leading
No writeups or analysis indexed.
https://github.com/funny-mud-peee/IoT-vuls/blob/main/netgear%20R6850/Netgear-R6850%20V1.1.0.88%20Command%20Injection%28ping_test%29.mdhttps://www.netgear.com/about/security/https://github.com/funny-mud-peee/IoT-vuls/blob/main/netgear%20R6850/Netgear-R6850%20V1.1.0.88%20Command%20Injection%28ping_test%29.mdhttps://www.netgear.com/about/security/
2024-04-03
Published