CVE-2019-17137

CRITICAL

NETGEAR AC1200 R6220 Firmware <1.1.0.86 - Auth Bypass

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-17137. PoCs published by vncloudsco.

AI-analyzed exploit summary The repository contains a functional proof-of-concept for CVE-2019-17137, demonstrating an authentication bypass via a crafted HTTP request with a null byte (%00) to access restricted resources. The PoC targets a specific endpoint (`currentsetting.htm`) on a vulnerable device, likely a router or IoT device.

Description

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR AC1200 R6220 Firmware version 1.1.0.86 Smart WiFi Router. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of path strings. By inserting a null byte into the path, the user can skip most authentication checks. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-8616.

Exploits (1)

nomisec WORKING POC

by vncloudsco · poc

https://github.com/vncloudsco/CVE-2019-17137

View Code ZIP pw:eip

The repository contains a functional proof-of-concept for CVE-2019-17137, demonstrating an authentication bypass via a crafted HTTP request with a null byte (%00) to access restricted resources. The PoC targets a specific endpoint (`currentsetting.htm`) on a vulnerable device, likely a router or IoT device.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Unknown (likely a router or IoT device with a web interface)

No auth needed

Prerequisites: Network access to the target device · Target device must be vulnerable to the null byte injection

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory, VDB Entry x_refsource_misc

https://www.zerodayinitiative.com/advisories/ZDI-19-866/

Scores

CVSS v3 9.4

EPSS 0.0274

EPSS Percentile 84.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

Details

CWE

CWE-626

Status published

Products (1)

netgear/ac1200_r6220_firmware 1.1.0.86

Published Feb 10, 2020

Tracked Since Feb 18, 2026