CVE-2024-35519

Vulnerability

A command injection flaw exists in the ap_mode parameter of operating_mode.cgi in the httpd component of Netgear EX6120 (firmware versions up to 1.0.0.68), EX6100 (up to 1.0.2.28), and EX3700 (up to 1.0.0.96) range extenders [1]. The vulnerable code path is reachable via the administrative web interface, requiring an authenticated session [1]. Prior firmware versions for these devices may also be affected [1].

Exploitation

An attacker must have network access to the affected extender (adjacent network, CVSS vector AV:A) and possess valid administrative credentials (privilege required: High) [1]. The attacker crafts a malicious HTTP request to operating_mode.cgi with a specially crafted ap_mode parameter that contains operating system commands. No user interaction is required beyond the authenticated session [1].

Impact

Successful exploitation results in arbitrary command execution with the privileges of the httpd process, leading to full compromise of confidentiality, integrity, and availability (C:H/I:H/A:H) [1]. An attacker can install persistent backdoors, exfiltrate network credentials, or pivot to other devices on the network [1].

Mitigation

Netgear has released firmware version 1.0.0.70 for the EX6120 as a fix [1]. For the EX6100 and EX3700, a patched version has not been explicitly identified in the available references [1]. Users should update to the latest firmware available on the Netgear support site and restrict administrative access to trusted networks. The vulnerability is tracked under PSV-2023-0153 [1].