CVE-2021-41449

HIGH

Netgear RAX35, RAX38, and RAX40 Firmware < 1.0.4.102 - Unauthenticated Path Traversal

Title source: llm

Description

A path traversal attack in web interfaces of Netgear RAX35, RAX38, and RAX40 routers before v1.0.4.102, allows a remote unauthenticated attacker to gain access to sensitive restricted information, such as forbidden files of the web application, via sending a specially crafted HTTP packet.

References (4)

Core 4

Core References

Vendor Advisory x_refsource_misc

http://netgear.com

Vendor Advisory x_refsource_misc

https://www.netgear.com/about/security/

Broken Link x_refsource_misc

http://rax40.com

Vendor Advisory x_refsource_misc

https://kb.netgear.com/000064405/Security-Advisory-for-Path-Traversal-on-Some-Routers-PSV-2021-0268

Scores

CVSS v3 7.1

EPSS 0.0144

EPSS Percentile 80.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Details

CWE

CWE-22

Status published

Products (3)

netgear/rax35_firmware < 1.0.4.102

netgear/rax38_firmware < 1.0.4.102

netgear/rax40_firmware < 1.0.4.102

Published Dec 09, 2021

Tracked Since Feb 18, 2026