Login Sign Up

CVE-2024-57225

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This CVE describes a command injection vulnerability in Linksys E7350 routers where an attacker can execute arbitrary commands via the devname parameter in the reset_wifi function. This allows remote code execution with root privileges on affected devices. All users running vulnerable firmware versions are affected.

💻 Affected Systems

Products:
  • Linksys E7350
Versions: 1.1.00.032
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only this specific firmware version is confirmed vulnerable. Other versions may also be affected but not verified.

📦 What is this software?

E7350 Firmware by Linksys

View all CVEs affecting E7350 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attacker to install persistent backdoors, intercept all network traffic, pivot to internal networks, or brick the device.

🟠

Likely Case

Attacker gains full control of the router to modify DNS settings, intercept credentials, or use as botnet node.

🟢

If Mitigated

No impact if device is not internet-facing and network segmentation prevents access to management interface.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing and this vulnerability allows unauthenticated remote code execution.
🏢 Internal Only: HIGH - Even internally, this provides full device compromise if attacker gains network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public GitHub repository contains proof-of-concept. The vulnerability is straightforward to exploit with basic networking knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: Yes

Instructions:

1. Check Linksys support site for firmware updates. 2. Download latest firmware. 3. Access router admin interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to router management interface

Network segmentation

all

Isolate router management interface to trusted network segment only

🧯 If You Can't Patch

  • Replace affected router with different model or vendor
  • Implement strict firewall rules blocking all access to router management interface from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via admin interface. If version is 1.1.00.032, device is vulnerable.

Check Version:

Check via router web interface at http://router_ip/ or via SSH if enabled

Verify Fix Applied:

Verify firmware version has been updated to a version later than 1.1.00.032

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to reset_wifi endpoint
  • Suspicious command execution in system logs
  • Multiple failed login attempts followed by successful access

Network Indicators:

  • Unusual outbound connections from router
  • DNS hijacking patterns
  • Unexpected SSH/Telnet connections from router

SIEM Query:

source="router_logs" AND (uri="/reset_wifi" OR command="*;*" OR command="*|*")

📊 Metadata

CVE ID: CVE-2024-57225
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
EPSS Score: 13.98% exploit probability (94.2th percentile)
Published: January 10, 2025
Last Updated: April 16, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57225, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)