RCE in Netgear Wnr1000

CVE-2019-20488

An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. Multiple actions within the web management interface (setup.cgi) are vulnerable to command injection, allowing remote attackers to execute arbitrary commands, as demonstrated b…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.021 (79.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Weakness classification (CWE)

Public proof-of-concept exploits

References

Frequently asked questions

What is CVE-2019-20488?
CVE-2019-20488 is a critical-severity vulnerability in Netgear Wnr1000, classified under OS Command Injection. CVSS score: 9.8/10. Published 2020-03-02.
How severe is CVE-2019-20488?
Critical severity. CVSS v3 base score is 9.8 out of 10.
Is CVE-2019-20488 known to be exploited?
1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.