Back to the articles

CVE-2024-39149 - Post-auth blind OS command injection vulnerability in NETGEAR's X6 R8000 devices

picture of the author
Gábor Selján
July 10, 2024 5 mins read
CVE-2024-39149 - Post-auth blind OS command injection vulnerability in NETGEAR's X6 R8000 devices

Table of contents

  1. Disclosure timeline
  2. Affected products
  3. Product URLs
  4. Summary
  5. Details
  6. Acknowledgments

Disclaimer: The following vulnerability was detected by BugProve's security research team conducting analysis on publicly available products/firmware. Firmware uploaded by users to BugProve's platform have no connection with any of our own research projects. For more information, check out our Vulnerability Disclosure Policy.

Disclosure timeline

Mar 11, 2024: BugProve reported the issues to CERT/CC.

Mar 12, 2024: NETGEAR acknowledged receipt of the report and requested 120 days to remediate the issue.

Mar 12, 2024: BugProve requested the industry standard 90 days timeline for remediation.

June 7, 2024: NETGEAR assigned PSV-2024-0022 to this vulnerability and released a hot fix in firmware version

June 17, 2024: BugProve requested a CVE ID from CERT/CC. Agreed to allocate CVE via MITRE.

July 5, 2024: MITRE assigned CVE-2024-39149.

July 10, 2024: Coordinated public release of advisory.

Affected products

NETGEAR’s X6 R8000 devices running firmware version and earlier are affected.

Product URLs

Nighthawk X6 R8000 - Product page

Nighthawk X6 R8000 - Support page


A post-auth blind OS command injection vulnerability exists when some versions of the X6 R8000 devices improperly handle user-provided input. This vulnerability allows an authenticated attacker to remotely execute OS commands on an affected device.

The autoipd binary contains a flaw that an attacker could exploit via the Basic Settings page of the web interface. An attacker can execute arbitrary OS commands by providing specially crafted values in the system_name parameter to the ether.cgi. An attacker could exploit this vulnerability to execute commands as part of the autoipd process, which runs as the root user.


The following analysis has been performed on firmware version of NETGEAR's R8000 device.

The device's basic Internet Setup page appears to be vulnerable to OS command injection attacks by setting the Account Name to a specially crafted value, as Figure 1. shows. Various shell metacharacters, including the pipe character “|", can be used to execute an injected command inline within the original command used to start the DHCP server. The command output does not appear to be returned in the application's response.

Figure 1. The basic Internet Setup page
Figure 1. The basic Internet Setup page

Figure 2. illustrates the submission of the payload bugproved|id in the system_name body parameter of a request to the path /ether.cgi.

Figure 2. Modifying the Account Name setting
Figure 2. Modifying the Account Name setting

Modifying the basic settings restarts all services and executes the vulnerable autoipd binary. Manually running the autoipd binary reveals the output of the injected id command, confirming the successful execution of the injected OS command, as Figure 3. shows.

Figure 3. Output of the injected id command
Figure 3. Output of the injected id command

PRIS, BugProve's proprietary firmware analysis engine, revealed that the vulnerability lies in the main() function within the autoipd binary. To start a udhcpc process, the program constructs the command string udhcpc -i %s -p /var/run/ -s /tmp/udhcpc -l %s %s & from the lan_ifname and user-provided system_name parameters. Figure 4. shows the result of a zero-day scan performed on the affected autoipd binary. Figure 4. Zero-day scan result of the autoipd binary

Figure 4. Zero-day scan result of the autoipd binary
Figure 4. Zero-day scan result of the autoipd binary

The following is a relevant excerpt from the decompiled source code of the affected main() function in the autoipd binary, showing the system_name parameter passed to the /sbin/acos_service program as the last option.

int main() {
  acosNvramConfig_read("lan_ifname", lan_ifname, 0x20);
  acosNvramConfig_read("system_name", system_name, 0x20);
  pcVar5 = (char *)(int)local_5c[0];
  bVar7 = pcVar5 == (char *)0x0;
  if (bVar7) {
    pcVar5 = "";
    system_name = in_r12;
  iVar2 = 0;
  if (!bVar7) {
    pcVar5 = "-H";
  if (bVar7) {
    system_name = pcVar5;
  sprintf(command, "udhcpc -i %s -p /var/run/ -s /tmp/udhcpc -l %s %s &", lan_ifname, pcVar5, system_name);

The command string constructed from the user-supplied parameter is executed in a subshell via the system() function, meaning that, among other features, shell metacharacters can be used to construct shell commands. Executing shell commands that incorporate unsanitized input from an untrusted source makes the application vulnerable to command injection, resulting in arbitrary command execution. For this reason, the use of system() is strongly discouraged in cases where the command string is constructed from external input. To replicate the vulnerability, send the following HTTP request using the curl utility as an authenticated user with an updated id parameter:

curl '<>' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'Authorization: Basic YnVncHJvdjNE' \
  -H 'Cookie: XSRF_TOKEN=1222440606' \
  --data-raw 'apply=Apply&system_name=bugproved%7Cid&domain_name=&WANAssign=dhcp&DNSAssign=0&MACAssign=2&Spoofmac=B2A971694F7A&runtest=no&wan_proto=dhcp&wan_ipaddr='

The vulnerability has been confirmed as an authenticated user on an R8000 device emulated with QEMU. However, firmware version of RAX80 also seems to be affected.


The vulnerability was found by Gábor Selján at BugProve, using BugProve PRIS™.

Thanks to CERT/CC and NETGEAR’s Product Security Team for the effective coordination process.

Was it worth your time?

Sign up for our newsletter to receive articles like this in your inbox 1-2 times per month.