Netgear Rax30 Firmware

Netgear RAX30 v1.0.10.94 PHP-FPM RCE via alternate extensions
CVE-2025-44658 - July 21, 2025

In Netgear RAX30 V1.0.10.94, a PHP-FPM misconfiguration vulnerability is caused by not following the specification to only limit FPM to .php extensions. An attacker may exploit this by uploading malicious scripts disguised with alternate extensions and tricking the web server into executing them as PHP, bypassing security mechanisms based on file extension filtering. This may lead to remote code execution (RCE), information disclosure, or full system compromise.

NETGEAR RAX30 Improper Cert Validation RCE No Auth Required
CVE-2023-51634 7.5 - High - November 22, 2024

NETGEAR RAX30 Improper Certificate Validation Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of NETGEAR RAX30 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the downloading of files via HTTPS. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-19589.

Improper Certificate Validation

NETGEAR RAX30 fing_dil Stack Buffer Overflow RCE
CVE-2023-51635 8.8 - High - November 22, 2024

NETGEAR RAX30 fing_dil Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR RAX30 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within fing_dil service. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19843.

Memory Corruption

NETGEAR RAX30 UPnP Cmd Injection RCE via Unvalidated Exec
CVE-2023-40479 8.8 - High - May 03, 2024

NETGEAR RAX30 UPnP Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR RAX30 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UPnP service. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19704.

Shell injection

NETGEAR RAX30 DHCP Cmd Injection RCE
CVE-2023-40480 8.8 - High - May 03, 2024

NETGEAR RAX30 DHCP Server Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR RAX30 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DHCP server. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19705.

Shell injection

NETGEAR RAX30 Telnet CLI Stack Buffer Overflow RCE
CVE-2023-40478 6.8 - Medium - May 03, 2024

NETGEAR RAX30 Telnet CLI passwd Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR RAX30 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the telnet CLI service, which listens on TCP port 23. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20009.

Memory Corruption

NETGEAR RAX30 lighttpd RCE via Misconfiguration
CVE-2023-27360 8.8 - High - May 03, 2024

NETGEAR RAX30 lighttpd Misconfiguration Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR RAX30. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the lighttpd HTTP server. The issue results from allowing execution of files from untrusted sources. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19398.

Origin Validation Error

NETGEAR RAX30 SOAP Auth Bypass: GetInfo Info Disclosure
CVE-2023-27357 6.5 - Medium - May 03, 2024

NETGEAR RAX30 GetInfo Missing Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR RAX30 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of SOAP requests. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose sensitive information, leading to further compromise. Was ZDI-CAN-19608.

Missing Authentication for Critical Function

NETGEAR RAX30 rex_cgi JSON Buffer Overflow RCE
CVE-2023-27361 8 - High - May 03, 2024

NETGEAR RAX30 rex_cgi JSON Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR RAX30 routers. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of JSON data. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19355.

Memory Corruption

Netgear RAX30 libcms_cli RCE via CInj
CVE-2023-27367 8 - High - May 03, 2024

NETGEAR RAX30 libcms_cli Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR RAX30 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the libcms_cli module. The issue results from the lack of proper validation of a user-supplied command before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19838.

Shell injection

NETGEAR RAX30 soap_serverd Stack-Buffer Overflow Auth Bypass
CVE-2023-27368 8.8 - High - May 03, 2024

NETGEAR RAX30 soap_serverd Stack-based Buffer Overflow Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR RAX30 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the soap_serverd binary. When parsing SOAP message headers, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19839.

Memory Corruption

NETGEAR RAX30 soap_serverd Stack Buffer Overflow Auth Bypass
CVE-2023-27369 8.8 - High - May 03, 2024

NETGEAR RAX30 soap_serverd Stack-based Buffer Overflow Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR RAX30. Authentication is not required to exploit this vulnerability. The specific flaw exists within the soap_serverd binary. When parsing the request headers, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19840.

Memory Corruption

NETGEAR RAX30 Cleartext Config Disclosure via Auth Bypass
CVE-2023-27370 5.7 - Medium - May 03, 2024

NETGEAR RAX30 Device Configuration Cleartext Storage Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR RAX30 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of device configuration. The issue results from the storage of configuration secrets in plaintext. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-19841.

Cleartext Storage of Sensitive Information

Netgear RAX30 USB SL Info Disclosure (Root)
CVE-2023-34283 4.6 - Medium - May 03, 2024

NETGEAR RAX30 USB Share Link Following Information Disclosure Vulnerability. This vulnerability allows physically present attackers to disclose sensitive information on affected installations of NETGEAR RAX30 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of symbolic links on removable USB media. By creating a symbolic link, an attacker can abuse the router's web server to access arbitrary local files. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-19498.

insecure temporary file

NETGEAR RAX30 Hardcoded Credentials: Auth Bypass
CVE-2023-34284 6.3 - Medium - May 03, 2024

NETGEAR RAX30 Use of Hard-coded Credentials Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR RAX30 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the system configuration. The system contains a hardcoded user account which can be used to access the CLI service as a low-privileged user. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19660.

Use of Hard-coded Credentials

NETGEAR RAX30 cmsCli_authenticate Buffer Overflow RCE (telnetd)
CVE-2023-34285 8.8 - High - May 03, 2024

NETGEAR RAX30 cmsCli_authenticate Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR RAX30 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within a shared library used by the telnetd service, which listens on TCP port 23 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19918.

Memory Corruption

NETGEAR RAX30 UPnP Command Injection RCE
CVE-2023-35722 8.8 - High - May 03, 2024

NETGEAR RAX30 UPnP Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR RAX30 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of UPnP port mapping requests. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20429.

Shell injection

Netgear RAX30 1.0.11.96 Stack Buffer Overflow in getblockschedule()
CVE-2023-48725 7.2 - High - March 07, 2024

A stack-based buffer overflow vulnerability exists in the JSON Parsing getblockschedule() functionality of Netgear RAX30 1.0.11.96 and 1.0.7.78. A specially crafted HTTP request can lead to code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Stack Overflow

Netgear Nighthawk WiFi6 Format String Vulnerability < V1.0.10.94
CVE-2023-27853 9.8 - Critical - March 10, 2023

NETGEAR Nighthawk WiFi6 Router prior to V1.0.10.94 contains a format string vulnerability in a SOAP service that could allow an attacker to execute arbitrary code on the device.

Classic Buffer Overflow

NETGEAR Nighthawk WiFi6 Router Buffer Overflow via CGI (V1.0.10.94)
CVE-2023-27852 9.8 - Critical - March 10, 2023

NETGEAR Nighthawk WiFi6 Router prior to V1.0.10.94 contains a buffer overflow vulnerability in various CGI mechanisms that could allow an attacker to execute arbitrary code on the device.

Classic Buffer Overflow

NETGEAR Nighthawk WiFi6 Router file-share code exec < V1.0.10.94
CVE-2023-27851 8.8 - High - March 10, 2023

NETGEAR Nighthawk WiFi6 Router prior to V1.0.10.94 contains a file sharing mechanism that unintentionally allows users with upload permissions to execute arbitrary code on the device.

NETGEAR Nighthawk WiFi6 Router: Arbitrary File Read via Sharing (pre V1.0.10.94)
CVE-2023-27850 6.8 - Medium - March 10, 2023

NETGEAR Nighthawk WiFi6 Router prior to V1.0.10.94 contains a file sharing mechanism that allows users with access to this feature to access arbitrary files on the device.

NETGEAR Nighthawk WiFi6 Router CSRF before v1.0.10.94
CVE-2023-1205 8.8 - High - March 10, 2023

NETGEAR Nighthawk WiFi6 Router prior to V1.0.10.94 is vulnerable to cross-site request forgery attacks on all endpoints due to improperly implemented CSRF protections.

Session Riding

Telnet Console Command Injection via Default Telnet Console
CVE-2022-47210 7.8 - High - December 16, 2022

The default console presented to users over telnet (when enabled) is restricted to a subset of commands. Commands issued at this console, however, appear to be fed directly into a system call or other similar function. This allows any authenticated user to execute arbitrary commands on the device.

Shell injection

Unknown IoT Device: Default 'support' Backdoor Account Cannot Be Changed
CVE-2022-47209 8.8 - High - December 16, 2022

A support user exists on the device and appears to be a backdoor for Technical Support staff. The default password for this account is support and cannot be changed by a user via any normally accessible means.

authentification