CVE-2023-27360

HIGH

Netgear Rax30 Firmware < 1.0.10.94 - Origin Validation Error

Title source: rule

Description

NETGEAR RAX30 lighttpd Misconfiguration Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR RAX30. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the lighttpd HTTP server. The issue results from allowing execution of files from untrusted sources. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19398.

References (2)

[Vendor Advisory] https://kb.netgear.com/000065559/Security-Advisory-for-Multiple-Vulnerabilities-on-the-RAX30-PSV-2022-0352

[Third Party Advisory] https://www.zerodayinitiative.com/advisories/ZDI-23-496/

Scores

CVSS v3 8.8

EPSS 0.0072

EPSS Percentile 72.1%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-345 CWE-346

Status published

Affected Products (1)

netgear/rax30_firmware < 1.0.10.94

Timeline

Published May 03, 2024

Tracked Since Feb 18, 2026