CVE-2024-57231 – This CVE describes a command injection vulnerab... (How to Fix)

📋 TL;DR

This CVE describes a command injection vulnerability in NETGEAR RAX5 routers that allows attackers to execute arbitrary commands on the device. Attackers can exploit this by sending specially crafted requests to the vulnerable function, potentially gaining full control of the router. All users of affected NETGEAR RAX5 routers with vulnerable firmware are at risk.

💻 Affected Systems

Products:

NETGEAR RAX5 (AX1600 WiFi Router)

Versions: V1.0.2.26

Operating Systems: Router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration of affected firmware versions. No special configuration is required for exploitation.

📦 What is this software?

Rax50 Firmware by Netgear

View all CVEs affecting Rax50 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept all network traffic, install persistent malware, pivot to internal network devices, and use the router as part of a botnet.

🟠

Likely Case

Attackers gain remote code execution on the router, enabling them to modify DNS settings, intercept credentials, and potentially access connected devices on the local network.

🟢

If Mitigated

With proper network segmentation and firewall rules, the impact is limited to the router itself, though attackers could still disrupt internet connectivity and potentially access other devices on the same network segment.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The GitHub reference contains technical details about the vulnerability, making exploitation straightforward for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check NETGEAR support site for firmware updates
2. Download latest firmware for RAX5
3. Log into router admin interface
4. Navigate to Advanced > Administration > Firmware Update
5. Upload and install the new firmware
6. Reboot router after installation

🔧 Temporary Workarounds

Disable WPS functionality

all

Disable WiFi Protected Setup (WPS) feature which may reduce attack surface

Restrict admin access

all

Change router admin interface to only allow access from specific IP addresses

🧯 If You Can't Patch

Isolate the router on a dedicated network segment with strict firewall rules
Replace the router with a different model that doesn't have this vulnerability

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under Advanced > Administration > Firmware Update

Check Version:

Not applicable - check via web interface

Verify Fix Applied:

Verify firmware version is newer than V1.0.2.26 after applying any available updates

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to router management interface
Suspicious command execution in router logs
Multiple failed authentication attempts

Network Indicators:

Unusual outbound connections from router
DNS hijacking patterns
Traffic redirection

SIEM Query:

source="router_logs" AND ("apcli_do_enr_pbc_wps" OR "ifname" with special characters)

📊 Metadata

CVE ID: CVE-2024-57231

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 1.73% exploit probability (82.1th percentile)

Published: May 5, 2025

Last Updated: May 7, 2025

🔗 References

https://github.com/yanggao017/vuln/blob/main/NETGEAR/RAX5/CI_4_apcli_do_enr_pbc_wps/README.md Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57231, you might also want to check these: