Vulnerability Details CVE-2019-12510
In NETGEAR Nighthawk X10-R900 prior to 1.0.4.26, an attacker may bypass all authentication checks on the device's "NETGEAR Genie" SOAP API ("/soap/server_sa") by supplying a malicious X-Forwarded-For header of the device's LAN IP address (192.168.1.1) in every request. As a result, an attacker may modify almost all of the device's settings and view various configuration settings.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 22.2%
CVSS Severity
CVSS v3 Score 9.1
CVSS v2 Score 6.4
References
Products affected by CVE-2019-12510
-
cpe:2.3:h:netgear:nighthawk_x10-r9000:-
-
cpe:2.3:o:netgear:nighthawk_x10-r9000_firmware:1.0.4.24