CVE-2022-43654

HIGH

NETGEAR CAX30 and CAX30S Firmware < 2.1.3.10 - Unauthenticated OS Command Injection via SSO Token Parameter

Title source: llm

Description

NETGEAR CAX30S SSO Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR CAX30S routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the token parameter provided to the sso.php endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-18227.

References (2)

Core 2

Core References

Third Party Advisory x_research-advisory

https://www.zerodayinitiative.com/advisories/ZDI-23-214/

Vendor Advisory vendor-advisory

https://kb.netgear.com/000065527/Security-Advisory-for-Pre-Authentication-Command-Injection-on-Some-Cable-Modem-Routers-PSV-2022-0208

Scores

CVSS v3 8.8

EPSS 0.0268

EPSS Percentile 86.0%

Attack Vector ADJACENT_NETWORK

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (2)

netgear/cax30_firmware < 2.1.3.10

netgear/cax30s_firmware < 2.1.3.10

Published May 07, 2024

Tracked Since Feb 18, 2026