CVE-2024-35518

Vulnerability

The Netgear EX6120 AC1200 Dual Band WiFi Range Extender, firmware version 1.0.0.68 (and likely prior versions), is vulnerable to an authenticated command injection in the genie_fix2.cgi CGI script. The wan_dns1_pri parameter is not properly sanitized, allowing arbitrary shell commands to be injected. The vulnerability exists in the httpd process, libacos_shared.so, and acos_service components [1].

Exploitation

An attacker must be able to authenticate to the administrative web interface (local network access required). Once authenticated, a crafted HTTP POST request to genie_fix2.cgi with a malicious value in the wan_dns1_pri parameter triggers the injection. No user interaction beyond authentication is needed, and the attack complexity is low [1].

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the web server (root), leading to full compromise of the device. This results in high impact on confidentiality, integrity, and availability, and the attack can be extended to other devices on the network due to the scope change [1].

Mitigation

Netgear has released fixed firmware version 1.0.0.98 to address this vulnerability. Users should update immediately via the device's administrative interface or from Netgear's support page [1]. There are no known workarounds, and this CVE is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.