CVE-2019-12511
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary system commands as root on NETGEAR Nighthawk X10-R9000 routers by sending a specially-crafted MAC address to a SOAP endpoint. When combined with authentication bypass vulnerabilities (CVE-2019-12510), attackers can exploit this without credentials. Affected users are those running vulnerable firmware versions with QoS enabled.
💻 Affected Systems
- NETGEAR Nighthawk X10-R9000
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full root compromise of the router allowing complete control, credential theft, network pivoting, and persistent backdoor installation.
Likely Case
Router takeover leading to DNS manipulation, traffic interception, credential harvesting, and lateral movement into connected networks.
If Mitigated
Limited impact if QoS is disabled, firmware is patched, and network segmentation prevents router access from untrusted networks.
🎯 Exploit Status
Exploitation requires bypassing multiple limitations (17-character payload, all-caps, colon requirement) and combining with authentication bypass or DNS rebinding. Public research demonstrates successful root shell access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.4.26
Vendor Advisory: https://kb.netgear.com/000061447/Security-Advisory-for-Pre-Authentication-Command-Injection-on-R9000-PSV-2019-0075
Restart Required: Yes
Instructions:
1. Log into router admin interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install version 1.0.4.26 or later. 4. Reboot router after update completes.
🔧 Temporary Workarounds
Disable QoS
allDisable Quality of Service features to prevent exploitation of the vulnerable endpoint
Network Segmentation
allIsolate router management interface from untrusted networks
🧯 If You Can't Patch
- Disable QoS and advanced QoS features immediately
- Implement strict network access controls to prevent external access to router management interface
🔍 How to Verify
Check if Vulnerable:
Check router firmware version via admin interface at Advanced > Administration > Firmware Update. If version is earlier than 1.0.4.26, the device is vulnerable.Check Version:
Not applicable - check via web interfaceVerify Fix Applied:
Confirm firmware version is 1.0.4.26 or later in the admin interface. Verify QoS can be disabled if needed.📡 Detection & Monitoring
Log Indicators:
- Unusual SOAP requests to AdvancedQoS endpoints
- MAC address parameters containing shell metacharacters
- Failed authentication attempts followed by successful API calls
Network Indicators:
- DNS rebinding attempts targeting router IP
- Unusual outbound connections from router to unknown destinations
- SOAP requests with crafted MAC addresses
SIEM Query:
source="router_logs" AND (uri="*AdvancedQoS*" OR param="*:*" OR method="POST" AND uri="*/soap/server_sa/*")