Netgear DC112A V1.0.0.64 has an OS command injection vulnerability in the usb_adv.cgi, which allows remote attackers to execute arbitrary commands via parameter "deviceName" passed to the binary through a POST request.
The vulnerability results from insufficient validation and sanitization of the 'deviceName' parameter passed to the usb_adv.cgi script via an HTTP POST request. An attacker can inject arbitrary operating system commands into this parameter value, which are then executed by the device with its privileges. The attack requires no authentication or user interaction, and the attack vector scope is network-based.
An attacker can gain full control over the device by remotely executing arbitrary system commands, which may lead to a breach of confidentiality, integrity, and availability of the device and data processed by it.
Apply patches available from the manufacturer according to the references. If an update is not available, it is recommended to restrict access to the device management interface only to trusted hosts through network segmentation or firewall, and to disable unused USB functions.
Netgear DC112A with firmware version V1.0.0.64
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNetgear Dc112a
HWNetgearwszystkie wersjeNetgear Dc112a Firmware
OSNetgear1.0.0.64
Related vulnerabilities
Certain NETGEAR devices are affected by a stack-based buffer overflow by an unauthenticated attacker. This aff...
Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. This affects D6220 b...
Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. This affects DC112A ...
Certain NETGEAR devices are affected by a buffer overflow by an authenticated user. This affects D6220 before ...
Certain NETGEAR devices are affected by lack of access control at the function level. This affects D6220 befor...