Vulnerability Description
An authenticated OS command injection vulnerability exists in Netgear routers (tested on the DGN2200B model) firmware versions 1.0.0.36 and prior via the pppoe.cgi endpoint. A remote attacker with valid credentials can execute arbitrary commands via crafted input to the pppoe_username parameter. This flaw allows full compromise of the device and may persist across reboots unless configuration is restored.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Netgear | Dgn2200B Firmware | <= 1.1.0.36 |
| Netgear | Dgn2200B | - |
Related Weaknesses (CWE)
References
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/expExploit
- https://web.archive.org/web/20170422033239/http://www.s3cur1ty.de/m1adv2013-015ExploitThird Party Advisory
- https://www.exploit-db.com/exploits/24513Exploit
- https://www.exploit-db.com/exploits/24974Exploit
- https://www.vulncheck.com/advisories/netgear-legacy-routers-rceThird Party Advisory
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/expExploit
- https://web.archive.org/web/20170422033239/http://www.s3cur1ty.de/m1adv2013-015ExploitThird Party Advisory
- https://www.exploit-db.com/exploits/24513Exploit
- https://www.exploit-db.com/exploits/24974Exploit
FAQ
What is CVE-2013-10060?
CVE-2013-10060 is a vulnerability with a CVSS score of 7.2 (HIGH). An authenticated OS command injection vulnerability exists in Netgear routers (tested on the DGN2200B model) firmware versions 1.0.0.36 and prior via the pppoe.cgi endpoint. A remote attacker with val...
How severe is CVE-2013-10060?
CVE-2013-10060 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-10060?
Check the references section above for vendor advisories and patch information. Affected products include: Netgear Dgn2200B Firmware, Netgear Dgn2200B.