CVE-2019-12510

Name of the Vulnerable Software and Affected Versions: NETGEAR Nighthawk X10-R900 versions prior to 1.0.4.26

Description: The issue allows an attacker to bypass authentication checks on the device's "NETGEAR Genie" SOAP API by supplying a malicious X-Forwarded-For header with the device's LAN IP address in every request. This enables the attacker to modify almost all of the device's settings and view various configuration settings. The API endpoint affected is "/soap/server sa".

Recommendations: For versions prior to 1.0.4.26, update to version 1.0.4.26 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/soap/server sa" API endpoint until a patch is applied. Avoid using the X-Forwarded-For header with the device's LAN IP address in requests to the affected API endpoint until the issue is resolved.