CVE-2013-10060

An authenticated OS command injection vulnerability exists in Netgear routers (tested on the DGN2200B model) firmware versions 1.0.0.36 and prior via the pppoe.cgi endpoint. A remote attacker with valid credentials can execute arbitrary commands via crafted input to the pppoe_username parameter. This flaw allows full compromise of the device and may persist across reboots unless configuration is restored.

CVSS

No CVSS.

References

Link	Resource
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb
https://web.archive.org/web/20170422033239/http://www.s3cur1ty.de/m1adv2013-015
https://www.exploit-db.com/exploits/24513
https://www.exploit-db.com/exploits/24974
https://www.vulncheck.com/advisories/netgear-legacy-routers-rce
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb
https://web.archive.org/web/20170422033239/http://www.s3cur1ty.de/m1adv2013-015
https://www.exploit-db.com/exploits/24513
https://www.exploit-db.com/exploits/24974

Configurations

No configuration.

History

06 Aug 2025, 15:15

Type	Values Removed	Values Added
References	~~() https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb -~~	() https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb -
References	~~() https://web.archive.org/web/20170422033239/http://www.s3cur1ty.de/m1adv2013-015 -~~	() https://web.archive.org/web/20170422033239/http://www.s3cur1ty.de/m1adv2013-015 -
References	~~() https://www.exploit-db.com/exploits/24513 -~~	() https://www.exploit-db.com/exploits/24513 -
References	~~() https://www.exploit-db.com/exploits/24974 -~~	() https://www.exploit-db.com/exploits/24974 -

04 Aug 2025, 15:06

Type	Values Removed	Values Added
Summary		(es) Existe una vulnerabilidad de inyección de comandos del sistema operativo autenticado en los routers Netgear (probados en el modelo DGN2200B) con versiones de firmware 1.0.0.36 y anteriores a través del endpoint pppoe.cgi. Un atacante remoto con credenciales válidas puede ejecutar comandos arbitrarios mediante una entrada manipulada en el parámetro pppoe_username. Esta falla permite la vulneración total del dispositivo y puede persistir tras reinicios a menos que se restablezca la configuración.

01 Aug 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-01 21:15

Updated : 2025-08-06 15:15

NVD link : CVE-2013-10060

Mitre link : CVE-2013-10060

CVE.ORG link : CVE-2013-10060

JSON object : View

Products Affected

No product.

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

JSON object

Attach tags to CVE-2013-10060

Attach tags to `CVE-2013-10060`