CVE-2024-12847 CRITICAL

CVE-2024-12847: NETGEAR DGN setup.cgi OS Command Injection

Vendor Netgear
Product DGN1000
Weakness CWE-78
Published January 10, 2025
Last update April 7, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

NETGEAR DGN1000 before 1.1.00.48 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can execute arbitrary operating system commands as root by sending crafted HTTP requests to the setup.cgi endpoint. This vulnerability has been observed to be exploited in the wild since at least 2017 and specifically by the Shadowserver Foundation on 2025-02-06 UTC.

Key dates

02Disclosure timeline

January 10, 2025 CVE published
April 7, 2026 Record updated