cbcvebase.
CVE-2024-48456
published 2025-01-06

CVE-2024-48456: An issue in Netis Wifi6 Router NX10 2.0.1.3643 and 2.0.1.3582 and Netis Wifi 11AC Router NC65 3.0.0.3749 and Netis Wifi 11AC Router NC63 3.0.0.3327 and…

PriorityP180high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
17.29%
96.7th percentile
An issue in Netis Wifi6 Router NX10 2.0.1.3643 and 2.0.1.3582 and Netis Wifi 11AC Router NC65 3.0.0.3749 and Netis Wifi 11AC Router NC63 3.0.0.3327 and 3.0.0.3503 and Netis Wifi 11AC Router NC21 3.0.0.3800, 3.0.0.3500 and 3.0.0.3329 and Netis Wifi Router MW5360 1.0.1.3442 and 1.0.1.3031 allows a remote attacker to obtain sensitive information via the parameter password at the change admin password page at the router web interface.

Detection & IOCsextracted from sources · hover to see the quote

path/change admin password page (parameter: password / new password)
filenamenetis_NC65_V3.0.0.3749.bin
filenamenetis_NX10_V2.0.1.3582_fw.bin
filenamenetis_NX10_V2.0.1.3643.bin
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/netis_unauth_rce_cve_2024_48456_and_48457.rb
  • Detect HTTP POST requests to the router's change admin password page containing base64-encoded payloads in the 'password' or 'new password' parameters — a hallmark of CVE-2024-48456 command injection exploitation.
  • Monitor for unauthenticated requests exploiting CVE-2024-48457 (password reset) immediately followed by authenticated POST requests to the change-password endpoint — this two-stage chain is the primary attack pattern for full root RCE.
  • Use CVE-2024-48455 unauthenticated information disclosure responses to fingerprint vulnerable Netis firmware versions in your environment before exploitation occurs.
  • Alert on exposure of the 'password' parameter value at the change admin password page of Netis router web interfaces, as this endpoint leaks sensitive credentials.
  • ·The exploit chain requires three chained CVEs (CVE-2024-48455, CVE-2024-48456, CVE-2024-48457); CVE-2024-48456 alone requires authentication, but the full unauthenticated RCE path depends on CVE-2024-48457 for credential reset.
  • ·The vulnerable firmware list is non-exhaustive; rebranded devices from GLCtec and Stonet may also be affected and should be assessed independently.
  • ·Additional firmware versions beyond those listed may be vulnerable, as the source explicitly notes the list is potentially incomplete.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.