CVE-2024-5247 – This vulnerability allows authenticated remote ... (How to Fix)

Q: What is the severity of CVE-2024-5247?

CVE-2024-5247 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated remote attackers to upload arbitrary files to NETGEAR ProSAFE Network Management System installations, leading to remote code execution with SYSTEM privileges. The flaw exists in the UpLoadServlet class due to insufficient input validation. Organizations using affected NETGEAR NMS versions are at risk.

📋 TL;DR

This vulnerability allows authenticated remote attackers to upload arbitrary files to NETGEAR ProSAFE Network Management System installations, leading to remote code execution with SYSTEM privileges. The flaw exists in the UpLoadServlet class due to insufficient input validation. Organizations using affected NETGEAR NMS versions are at risk.

💻 Affected Systems

Products:

NETGEAR ProSAFE Network Management System (NMS300)

Versions: Versions prior to 1.7.0.15

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authentication to exploit, but default credentials or weak authentication may increase risk.

📦 What is this software?

Prosafe Network Management System by Netgear

View all CVEs affecting Prosafe Network Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, allowing attackers to install malware, exfiltrate data, pivot to other systems, or disrupt network operations.

🟠

Likely Case

Unauthorized file upload leading to web shell deployment, persistence establishment, and subsequent lateral movement within the network.

🟢

If Mitigated

Limited impact with proper network segmentation, strong authentication controls, and file upload restrictions in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Authentication required but exploit is straightforward once authenticated. ZDI-CAN-22923 identifier suggests active research.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.0.15

Vendor Advisory: https://kb.netgear.com/000066165/Security-Advisory-for-Missing-Function-Level-Access-Control-on-the-NMS300-PSV-2024-0005

Restart Required: Yes

Instructions:

1. Download NMS300 version 1.7.0.15 from NETGEAR support portal. 2. Backup current configuration. 3. Run installer as administrator. 4. Restart system after installation completes.

🔧 Temporary Workarounds

Restrict UploadServlet Access

windows

Block access to the vulnerable servlet endpoint using web server configuration or firewall rules.

# Example for Windows Firewall: New-NetFirewallRule -DisplayName "Block NMS UploadServlet" -Direction Inbound -Protocol TCP -LocalPort 8080 -RemoteAddress Any -Action Block

Implement Strong Authentication

all

Enforce multi-factor authentication and strong password policies to reduce risk of credential compromise.

🧯 If You Can't Patch

Network segmentation: Isolate NMS system from critical infrastructure and internet access
Implement strict file upload validation at WAF or reverse proxy layer

🔍 How to Verify

Check if Vulnerable:

Check NMS version in web interface under Help > About. If version is below 1.7.0.15, system is vulnerable.

Check Version:

Check web interface at http://[nms-ip]:8080/help/about.jsp or examine installed programs in Windows Control Panel

Verify Fix Applied:

Verify version shows 1.7.0.15 or higher in Help > About section after patch installation.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to /servlet/UploadServlet
Multiple failed authentication attempts followed by successful login
Suspicious process creation from web server context

Network Indicators:

HTTP POST requests to /servlet/UploadServlet with unusual file extensions
Outbound connections from NMS server to unknown external IPs

SIEM Query:

source="nms_logs" AND (uri="/servlet/UploadServlet" OR process="cmd.exe" OR process="powershell.exe")

📊 Metadata

CVE ID: CVE-2024-5247

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: May 23, 2024

Last Updated: February 11, 2025

🔗 References

https://kb.netgear.com/000066165/Security-Advisory-for-Missing-Function-Level-Access-Control-on-the-NMS300-PSV-2024-0005 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-24-498/ Third Party Advisory
https://kb.netgear.com/000066165/Security-Advisory-for-Missing-Function-Level-Access-Control-on-the-NMS300-PSV-2024-0005 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-24-498/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5247, you might also want to check these: