do son 
Security researcher Dylan has disclosed a set of eight previously unknown zero-day vulnerabilities affecting the Netgear WNR854T, a legacy router first released in 2017 and long since unsupported.
The report details a range of vulnerabilities, including buffer overflows and command injection flaws, which could allow attackers to gain control of affected devices.
- CVE-2024-54802: M-SEARCH Host BOF
This vulnerability is a stack-based buffer overflow in the UPnP service, specifically affecting the M-SEARCH Host header. The issue stems from the strcpy function’s unbounded nature, which can allow an attacker to corrupt memory and control execution flow, leading to remote code execution.
The researcher states: “CVE-2024-54802 is a stack-based buffer overflow in the UPnP (Universal Plug and Play) service (/usr/sbin/upnp) affecting the M-SEARCH Host header.”
- CVE-2024-54803: PPPOE_PEER_MAC Authenticated Command Injection (Boot Persistent)
This is an authenticated command injection vulnerability affecting the router’s PPPOE configuration. Successful exploitation allows authenticated attackers to execute arbitrary system commands with root privileges.
The researcher emphasizes the severity, stating, “The injected commands persist across device reboots as they are stored in NVRAM, making this a particularly severe vulnerability that provides attackers with permanent access until manually remediated.”
- CVE-2024-54804: WAN_HOSTNAME Authenticated Command Injection (Boot Persistent)
Similar to the previous vulnerability, this is an authenticated command injection vulnerability, but it affects the router’s WAN hostname configuration. Exploitation grants authenticated attackers the ability to execute arbitrary system commands with root privileges, with the injected commands persisting across reboots.
The report highlights the potential impact: “This can lead to complete compromise of the router, enabling a whole host of malicious activities.”
- CVE-2024-54805: Sendmail Authenticated Command Injection
This vulnerability is an authenticated command injection flaw within the router’s email notification functionality. Attackers with valid credentials can execute arbitrary system commands with root privileges by manipulating the email address field.
The report notes the flexibility of this exploit: “This vulnerability provides a more flexible on-demand execution mechanism that can be repeatedly triggered without waiting for reboots.”
- CVE-2024-54806: Authenticated Webshell
The report indicates the existence of a webshell at cmd.cgi (0x15c50). Access to this webshell requires authentication.
- CVE-2024-54807: AddPortMapping Command Injection
This is an unauthenticated command execution vulnerability in the upnp binary. It exists due to the concatenation of arguments passed to a system call in the upnp binary.
The report emphasizes the severity: “This is potentially the most critical vulnerability reported due to its wide attack surface, lack of authentication, and low exploit complexity.”
- CVE-2024-54808: SetDefaultConnectionService BOF
This is a stack-based buffer overflow vulnerability in the SetDefaultConnectionService function. Successful exploitation can lead to hijacking program execution.
The report mentions challenges in exploiting this vulnerability: “Issues with weaponization of this bug were encountered due to environmental constraints.”
- CVE-2024-54809: M-SEARCH ST BOF
This is another stack-based buffer overflow in the UPnP service, this time affecting the M-SEARCH ST header. The vulnerability is caused by improper bounds checking when copying the ST header value.
The report explains the cause: “The vulnerability is caused by improper bounds checking when copying the ST header value into a fixed-size stack variable.”
The researcher followed a disclosure timeline, beginning with contacting the vendor on November 16, 2024. Despite acknowledging the report, the vendor stated they would not fix the issues due to the device being end-of-life (EOL). The vulnerabilities were subsequently disclosed publicly at DistrictCon.
Related Posts:
- New Technology Uses UPnP Protocol to Avoid DDoS Mitigation
- NETGEAR Patches Critical Security Vulnerabilities in WiFi Routers (CVE-2025-25246) and Access Points
- CVE-2023-46012 in Linksys EA7500 Routers Allows Remote Takeover, No Patch, Poc Released
- Buffer Overflows Vulnerabilities: CISA & FBI Issue Urgent Warning
- Netgear Patches Multiple Vulnerabilities in CAX30, XR1000, and R7000 Routers
