Login Sign Up

CVE-2024-54802

9.8 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Netgear WNR854T routers via a stack-based buffer overflow in the UPnP service. Attackers can exploit this by sending specially crafted M-SEARCH requests with oversized Host headers. All users of the affected router model and firmware version are vulnerable.

💻 Affected Systems

Products:
  • Netgear WNR854T
Versions: 1.5.2 (North America)
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: UPnP is typically enabled by default on consumer routers. The vulnerability is in the UPnP daemon (/usr/sbin/upnp).

📦 What is this software?

Wnr854t Firmware by Netgear

View all CVEs affecting Wnr854t Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router with root-level remote code execution, allowing attackers to intercept traffic, modify configurations, pivot to internal networks, or install persistent malware.

🟠

Likely Case

Remote code execution leading to router takeover, network traffic interception, DNS hijacking, and potential lateral movement to connected devices.

🟢

If Mitigated

Limited impact if UPnP is disabled or the router is behind strict firewall rules blocking external UPnP requests.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability requires no authentication and has a public proof-of-concept. Exploitation is straightforward with readily available tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: N/A

Restart Required: No

Instructions:

No official patch is available as this is an end-of-life device. Consider the workarounds below or replace the hardware.

🔧 Temporary Workarounds

Disable UPnP Service

linux

Completely disable the vulnerable UPnP service to prevent exploitation.

ssh admin@router-ip
killall upnp
chmod -x /usr/sbin/upnp

Block UPnP Ports

linux

Block external access to UPnP ports (1900/udp, 5000/tcp) at the network perimeter.

iptables -A INPUT -p udp --dport 1900 -j DROP
iptables -A INPUT -p tcp --dport 5000 -j DROP

🧯 If You Can't Patch

  • Replace the router with a supported model that receives security updates
  • Isolate the router in a separate VLAN with strict firewall rules limiting its network access

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface (Advanced > Administration > Router Status) or SSH: 'cat /proc/version'

Check Version:

cat /proc/version | grep -o 'WNR854T.*'

Verify Fix Applied:

Verify UPnP service is not running: 'ps aux | grep upnp' should return no results. Check firewall rules: 'iptables -L -n' should show UPnP ports blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual UPnP M-SEARCH requests in router logs
  • Multiple large Host header requests to port 1900/udp

Network Indicators:

  • Abnormal UDP traffic to port 1900 with oversized packets
  • Suspicious M-SEARCH requests from external IPs

SIEM Query:

source="router.log" AND "M-SEARCH" AND (Host.length > 100 OR "upnp")

📊 Metadata

CVE ID: CVE-2024-54802
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
EPSS Score: 0.57% exploit probability (68.1th percentile)
Published: March 31, 2025
Last Updated: April 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-54802, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)