CVE-2024-12847 – This CVE describes an authentication bypass vul... (How to Fix)

Q: What is the severity of CVE-2024-12847?

CVE-2024-12847 has a CVSS score of 9.8 (CRITICAL). This CVE describes an authentication bypass vulnerability in NETGEAR DGN1000 routers that allows remote unauthenticated attackers to execute arbitrary operating system commands as root via crafted HTTP requests to the setup.cgi endpoint. This affects NETGEAR DGN1000 routers running firmware versions before 1.1.00.48. The vulnerability has been actively exploited in the wild since at least 2017.

📋 TL;DR

This CVE describes an authentication bypass vulnerability in NETGEAR DGN1000 routers that allows remote unauthenticated attackers to execute arbitrary operating system commands as root via crafted HTTP requests to the setup.cgi endpoint. This affects NETGEAR DGN1000 routers running firmware versions before 1.1.00.48. The vulnerability has been actively exploited in the wild since at least 2017.

💻 Affected Systems

Products:

NETGEAR DGN1000

Versions: All versions before 1.1.00.48

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface which is typically enabled by default on both WAN and LAN interfaces.

📦 What is this software?

Dgn1000 Firmware by Netgear

View all CVEs affecting Dgn1000 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router with root-level command execution, allowing attackers to intercept network traffic, pivot to internal networks, install persistent malware, or brick the device.

🟠

Likely Case

Remote code execution leading to botnet enrollment, credential theft, DNS hijacking, or network surveillance.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access, though internal threats remain possible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploits exist (Exploit-DB IDs 25978, 43055). Actively exploited since at least 2017 with recent observations by Shadowserver Foundation in 2025.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.00.48

Vendor Advisory: https://www.netgear.com/about/security/

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to Advanced > Administration > Router Update. 3. Check for updates and install firmware version 1.1.00.48 or later. 4. Reboot router after update completes.

🔧 Temporary Workarounds

Disable Remote Management

all

Disable web management interface on WAN/Internet-facing interface

Network Segmentation

all

Place router in isolated network segment with strict firewall rules

🧯 If You Can't Patch

Replace affected router with supported model
Implement strict network access controls to block all inbound traffic to router management interface

🔍 How to Verify

Check if Vulnerable:

Check firmware version via router web interface at Advanced > Administration > Router Status, or via command: curl -s http://router-ip/currentsetting.htm | grep Firmware

Check Version:

curl -s http://[ROUTER_IP]/currentsetting.htm | grep Firmware

Verify Fix Applied:

Verify firmware version is 1.1.00.48 or higher using same method as above

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /setup.cgi with unusual parameters
Multiple failed authentication attempts followed by successful access
Unusual command execution in system logs

Network Indicators:

HTTP POST requests to router IP on port 80/443 containing command injection patterns
Outbound connections from router to suspicious IPs

SIEM Query:

source="router.log" AND (url="/setup.cgi" OR (method="POST" AND uri="*setup.cgi*"))

📊 Metadata

CVE ID: CVE-2024-12847

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 67.08% exploit probability (98.5th percentile)

Published: January 10, 2025

Last Updated: December 19, 2025

🔗 References

https://seclists.org/bugtraq/2013/Jun/8 Mailing List,Third Party Advisory
https://vulncheck.com/advisories/netgear-dgn Vendor Advisory
https://www.exploit-db.com/exploits/25978 Exploit,Third Party Advisory,VDB Entry
https://www.exploit-db.com/exploits/43055 Exploit,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12847, you might also want to check these: