CVE-2013-10060
Severity CVSS v4.0:
CRITICAL
Type:
CWE-78
OS Command Injections
Publication date:
01/08/2025
Last modified:
23/09/2025
Description
An authenticated OS command injection vulnerability exists in Netgear routers (tested on the DGN2200B model) firmware versions 1.0.0.36 and prior via the pppoe.cgi endpoint. A remote attacker with valid credentials can execute arbitrary commands via crafted input to the pppoe_username parameter. This flaw allows full compromise of the device and may persist across reboots unless configuration is restored.
Impact
Base Score 4.0
9.40
Severity 4.0
CRITICAL
Base Score 3.x
7.20
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:netgear:dgn2200b_firmware:*:*:*:*:*:*:*:* | 1.1.0.36 (including) | |
| cpe:2.3:h:netgear:dgn2200b:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb
- https://web.archive.org/web/20170422033239/http://www.s3cur1ty.de/m1adv2013-015
- https://www.exploit-db.com/exploits/24513
- https://www.exploit-db.com/exploits/24974
- https://www.vulncheck.com/advisories/netgear-legacy-routers-rce
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb
- https://web.archive.org/web/20170422033239/http://www.s3cur1ty.de/m1adv2013-015
- https://www.exploit-db.com/exploits/24513
- https://www.exploit-db.com/exploits/24974