CVE-2024-50997

Name of the Vulnerable Software and Affected Versions Netgear R8500 version 1.0.2.160 Netgear XR300 version 1.0.3.78 Netgear R7000P version 1.3.3.154 Netgear R6400 v2 version 1.0.4.128

Description The issue is related to a stack overflow in the pptp.cgi script of Netgear routers, specifically when handling the pptp user ip parameter. This allows attackers to cause a Denial of Service (DoS) via a crafted POST request to the /pptp.cgi endpoint. The vulnerability is due to a buffer copy without checking the size of the input data.

Recommendations For Netgear R8500 version 1.0.2.160, update to a newer version that contains a fix for this issue. For Netgear XR300 version 1.0.3.78, update to a newer version that contains a fix for this issue. For Netgear R7000P version 1.3.3.154, update to a newer version that contains a fix for this issue. For Netgear R6400 v2 version 1.0.4.128, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting access to the pptp.cgi script to minimize the risk of exploitation. Avoid using the pptp user ip parameter in the affected API endpoint until the issue is resolved.