CVE-2024-12847

CRITICAL EXPLOITED

NETGEAR DGN1000 < 1.1.00.48 - Unauthenticated OS Command Injection via setup.cgi

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2024-12847 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including Metasploit, Roberto Paleari, Mumbai, Robort Palerie <[email protected]>, including a Metasploit module exploits/linux/http/netgear_dgn1000_setup_unauth_exec.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated command execution vulnerability in Netgear DGN1000/DGN2000v1 routers via the setup.cgi endpoint. It uses a cmdstager to deliver a reverse shell payload.

Description

NETGEAR DGN1000 before 1.1.00.48 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can execute arbitrary operating system commands as root by sending crafted HTTP requests to the setup.cgi endpoint. This vulnerability has been observed to be exploited in the wild since at least 2017 and specifically by the Shadowserver Foundation on 2025-02-06 UTC.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotehardware
https://www.exploit-db.com/exploits/43055

This Metasploit module exploits an unauthenticated command execution vulnerability in Netgear DGN1000/DGN2000v1 routers via the setup.cgi endpoint. It uses a cmdstager to deliver a reverse shell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Netgear DGN1000 (firmware up to 1.1.00.48), DGN2000v1
No auth needed
Prerequisites: Network access to the target device · Vulnerable firmware version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP
by Roberto Paleari · textwebappshardware
https://www.exploit-db.com/exploits/25978

This advisory describes an unauthenticated command execution vulnerability in Netgear DGN devices, where attackers can bypass authentication via specific URLs containing 'currentsetting.htm' and execute arbitrary commands via the 'setup.cgi' script.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Netgear DGN1000 (firmware < 1.1.00.48), Netgear DGN2200 v1
No auth needed
Prerequisites: Network access to the target device · Knowledge of the target IP address
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Mumbai, Robort Palerie <[email protected]> · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/netgear_dgn1000_setup_unauth_exec.rb

This Metasploit module exploits an unauthenticated remote command execution vulnerability in Netgear DGN1000 and DGN2000v1 routers via the setup.cgi file. It sends a crafted HTTP GET request with specific parameters to execute arbitrary commands on the target device.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Netgear DGN1000 (firmware versions up to 1.1.00.48) and DGN2000v1
No auth needed
Prerequisites: Network access to the target device · Target device must be running vulnerable firmware
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4
Core References
Mailing List, Third Party Advisory third-party-advisory technical-description
https://seclists.org/bugtraq/2013/Jun/8
Exploit, Third Party Advisory, VDB Entry exploit
https://www.exploit-db.com/exploits/25978
Exploit, VDB Entry exploit
https://www.exploit-db.com/exploits/43055
Vendor Advisory third-party-advisory
https://vulncheck.com/advisories/netgear-dgn

Scores

CVSS v3 9.8
EPSS 0.2911
EPSS Percentile 97.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2017-11-01
CWE
CWE-78 CWE-306
Status published
Products (2)
NETGEAR/DGN1000 < 1.1.00.48
netgear/dgn1000_firmware < 1.1.00.48
Published Jan 10, 2025
Tracked Since Feb 18, 2026