CVE-2024-12147
📋 TL;DR
A critical buffer overflow vulnerability in Netgear R6900 routers allows remote attackers to execute arbitrary code by manipulating the Content-Length HTTP header in upgrade_check.cgi. This affects R6900 routers running firmware version 1.0.1.26_1.0.20. The vulnerability is particularly dangerous because these products are no longer supported by the vendor.
💻 Affected Systems
- Netgear R6900
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete device compromise, persistent backdoor installation, and lateral movement to connected networks.
Likely Case
Device crash/reboot causing service disruption, or limited code execution for information gathering.
If Mitigated
Denial of service from failed exploit attempts if proper network segmentation exists.
🎯 Exploit Status
Exploit details have been publicly disclosed on GitHub. The vulnerability requires no authentication and has a straightforward exploitation path.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://www.netgear.com/
Restart Required: No
Instructions:
No official patch is available as this product is end-of-life. Consider the workarounds and risk reduction steps below.
🔧 Temporary Workarounds
Disable remote management
allPrevent external access to the router's web interface
Access router admin panel > Advanced > Remote Management > Disable
Block access to upgrade_check.cgi
linuxUse firewall rules to block requests to the vulnerable endpoint
iptables -A INPUT -p tcp --dport 80 -m string --string "upgrade_check.cgi" --algo bm -j DROP
🧯 If You Can't Patch
- Replace affected routers with supported models
- Isolate vulnerable routers in a separate VLAN with strict firewall rules
🔍 How to Verify
Check if Vulnerable:
Check router firmware version in admin panel: Advanced > Administration > Router Update > Current Firmware VersionCheck Version:
curl -s http://router-ip/currentsetting.htm | grep FirmwareVerify Fix Applied:
Verify remote management is disabled and firewall rules are blocking upgrade_check.cgi access📡 Detection & Monitoring
Log Indicators:
- Multiple HTTP requests to upgrade_check.cgi with abnormal Content-Length values
- Router crash/reboot logs
Network Indicators:
- HTTP POST requests to /upgrade_check.cgi with manipulated Content-Length headers
- Unusual outbound connections from router
SIEM Query:
source="router_logs" AND (uri="/upgrade_check.cgi" OR message="buffer overflow")