cbcvebase.
CVE-2024-48457
published 2025-01-06

CVE-2024-48457: An issue in Netis Wifi6 Router NX10 2.0.1.3643 and 2.0.1.3582 and Netis Wifi 11AC Router NC65 3.0.0.3749 and Netis Wifi 11AC Router NC63 3.0.0.3327 and…

PriorityP355high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
3.03%
85.8th percentile
An issue in Netis Wifi6 Router NX10 2.0.1.3643 and 2.0.1.3582 and Netis Wifi 11AC Router NC65 3.0.0.3749 and Netis Wifi 11AC Router NC63 3.0.0.3327 and 3.0.0.3503 and Netis Wifi 11AC Router NC21 3.0.0.3800, 3.0.0.3500 and 3.0.0.3329 and Netis Wifi Router MW5360 1.0.1.3442 and 1.0.1.3031 allows a remote attacker to obtain sensitive information via the endpoint /cgi-bin/skk_set.cgi and binary /bin/scripts/start_wifi.sh

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/skk_set.cgi
path/bin/scripts/start_wifi.sh
filenamenetis_NC65_V3.0.0.3749.bin
filenamenetis_NX10_V2.0.1.3582_fw.bin
filenamenetis_NX10_V2.0.1.3643.bin
  • Monitor for unauthenticated HTTP requests to /cgi-bin/skk_set.cgi, which is the vulnerable endpoint enabling password reset and sensitive information disclosure (CVE-2024-48457).
  • CVE-2024-48457 is used as a pre-authentication step in an exploit chain: an unauthenticated attacker resets the WiFi and router password via the vulnerable endpoint, then leverages the gained credentials to exploit the authenticated RCE (CVE-2024-48456). Detect sequential unauthenticated POST to /cgi-bin/skk_set.cgi followed by authenticated requests to the change-admin-password page.
  • The chained RCE (CVE-2024-48456) injects commands encoded in base64 into the 'password' or 'new password' parameter at the change admin password page. Inspect HTTP POST bodies for base64-encoded payloads in password fields on Netis router admin interfaces.
  • Affected devices include rebranded routers from GLCtec and Stonet in addition to Netis-branded devices. Expand detection scope to cover these brands running the same firmware.
  • CVE-2024-48455 (unauthenticated info disclosure) is used by attackers to fingerprint vulnerable firmware versions before launching the exploit chain. Detect unauthenticated requests that retrieve router configuration details as a precursor indicator.
  • ·The exploit chain requires three CVEs in sequence (CVE-2024-48455 for recon, CVE-2024-48457 for unauthenticated password reset, CVE-2024-48456 for authenticated RCE). Detection rules should account for the full chain, not just the individual CVE.
  • ·The vulnerable firmware list may not be exhaustive; additional firmware variants beyond those listed may also be affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.