CVE-2023-38098
HIGHNetgear Prosafe Network Management System - Unrestricted File Upload
Title source: ruleDescription
NETGEAR ProSAFE Network Management System UpLoadServlet Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the UpLoadServlet class. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-19720.
Exploits (1)
metasploit
WORKING POC
EXCELLENT
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/netgear_nms_rce.rb
Scores
CVSS v3
8.8
EPSS
0.7936
EPSS Percentile
99.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (1)
netgear/prosafe_network_management_system
< 1.7.0.20
Published
May 03, 2024
Tracked Since
Feb 18, 2026