CVE-2024-6145 is a critical vulnerability classified under CWE-134 (Use of Externally-Controlled Format String) found in the Actiontec WCB6200Q router, specifically in firmware version 1.2L.03.5. The flaw exists within the router's HTTP server, where it improperly handles the Cookie header in incoming HTTP requests. An attacker can craft a malicious Cookie header containing format specifiers that the server processes without proper validation or sanitization. This leads to a format string vulnerability, enabling the attacker to execute arbitrary code remotely in the context of the HTTP server process. The vulnerability is exploitable by network-adjacent attackers without requiring any authentication or user interaction, making it highly accessible. The CVSS v3.0 base score is 8.8, reflecting the high impact on confidentiality, integrity, and availability. Although no known exploits are currently in the wild, the vulnerability was reported through the Zero Day Initiative (ZDI) as ZDI-CAN-21417 and published on June 18, 2024. The lack of available patches at the time of disclosure increases the urgency for affected users to implement interim mitigations and monitor for updates from the vendor.

This vulnerability allows attackers to execute arbitrary code remotely on affected Actiontec WCB6200Q routers, potentially leading to full compromise of the device. The attacker can gain control over the router’s HTTP server process, which may allow them to intercept, modify, or redirect network traffic, disrupt network availability, or use the device as a foothold for further attacks within the network. Confidentiality is at risk as attackers could access sensitive information passing through the router. Integrity is compromised because attackers can alter router configurations or injected malicious payloads. Availability may be affected if the attacker disrupts router operations or causes denial of service. Given the router’s role as a network gateway, exploitation could have cascading effects on connected systems and networks, especially in enterprise or critical infrastructure environments. The ease of exploitation without authentication or user interaction significantly raises the threat level for organizations relying on this hardware.

1. Immediately check for firmware updates from Actiontec and apply any patches addressing this vulnerability once available. 2. If no patch is available, restrict network access to the router’s management interface by implementing network segmentation and firewall rules to limit HTTP access only to trusted management stations. 3. Disable remote management features if not required, especially HTTP access from untrusted networks. 4. Monitor network traffic for unusual HTTP requests containing suspicious Cookie headers or other anomalies indicative of exploitation attempts. 5. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics capable of detecting format string attacks targeting HTTP services. 6. Consider replacing affected devices with models that have a better security track record if patching or mitigation is not feasible. 7. Maintain regular backups of router configurations and monitor logs for signs of compromise. 8. Educate network administrators about this vulnerability and ensure incident response plans include steps for dealing with router compromises.