CVE-2024-35520

Name of the Vulnerable Software and Affected Versions: Netgear R7000 version 1.0.11.136

Description: The issue is related to a Command Injection vulnerability in the RMT invite.cgi script, specifically via the device name2 parameter. This vulnerability can be exploited by a remote attacker to execute arbitrary commands. The vulnerability is due to the lack of proper data sanitization at the management level when processing the device name2 parameter.

Recommendations: For Netgear R7000 version 1.0.11.136, as a temporary workaround, consider disabling the RMT invite.cgi script until a patch is available. Restrict access to the device name2 parameter in the RMT invite.cgi script to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.