CVE-2017-6334

Exploitation Summary

CVE-2017-6334 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022. EIP tracks 4 public exploits from researchers including Metasploit, SivertPL, thecarterb, SivertPL, including a Metasploit module exploits/linux/http/netgear_dnslookup_cmd_exec.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in NETGEAR DGN2200 routers by sending a crafted POST request to the dnslookup.cgi endpoint with valid credentials. The payload is executed via the host_name parameter.

Description

dnslookup.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the host_name field of an HTTP POST request, a different vulnerability than CVE-2017-6077.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotecgi

https://www.exploit-db.com/exploits/42257

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in NETGEAR DGN2200 routers by sending a crafted POST request to the dnslookup.cgi endpoint with valid credentials. The payload is executed via the host_name parameter.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: NETGEAR DGN2200v1/v2/v3/v4

Auth required

Prerequisites: Valid credentials for the router · Network access to the target router

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by SivertPL · pythonwebappshardware

https://www.exploit-db.com/exploits/41459

View Code ZIP pw:eip

This exploit leverages a command injection vulnerability in Netgear routers via the dnslookup.cgi endpoint. It allows authenticated users to execute arbitrary commands by appending them to the host_name parameter, bypassing basic sanitization.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Netgear routers (specific versions not specified)

Auth required

Prerequisites: Network access to the router · Valid credentials (default or hardcoded)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by SivertPL · htmlwebappshardware

https://www.exploit-db.com/exploits/41472

View Code ZIP pw:eip

This exploit demonstrates a CSRF vulnerability in NETGEAR DGN2200 routers that, when chained with CVE-2017-6334, allows unauthenticated remote code execution by tricking an authenticated user into visiting a malicious webpage. The payload injects a command into the DNS lookup functionality to trigger a reboot.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: NETGEAR DGN2200v1/v2/v3/v4 firmware versions 10.0.0.20 to 10.0.0.50

No auth needed

Prerequisites: Victim must be authenticated to the router's web interface · Attacker must trick the victim into visiting a malicious webpage

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by thecarterb, SivertPL · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/netgear_dnslookup_cmd_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in NETGEAR DGN2200 routers by sending a crafted POST request to the dnslookup.cgi endpoint with valid credentials. The payload is appended to the host_name parameter, allowing remote command execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: NETGEAR DGN2200v1/v2/v3/v4 routers

Auth required

Prerequisites: Valid credentials for the router · Network access to the router's web interface

MITRE ATT&CK