Arris SURFboard SBG6950AC2 Arbitrary Command Execution Vulnerability


An arbitrary command execution vulnerability exists in Arris SURFboard SBG6950AC2 devices. An unauthenticated attacker can exploit this vulnerability to achieve code execution as root.

Vulnerability Identifier

  • Exodus Intelligence: EIP-7777417a
  • MITRE: CVE-2024-23618

Vulnerability Metrics

  • CVSSv2 Vector: AV:A/AC:L/Au:N/C:C/I:C/A:C
  • CVSSv2 Score: 8.3

Vendor References

  • The vendor has applied fixes in newer revisions of the firmware.

Discovery Credit

  • Exodus Intelligence

Disclosure Timeline

  • Disclosed to vendor: June 17, 2021
  • Vendor response to disclosure: June 21, 2021
  • Disclosed to public: January 25, 2024

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at