CVE-2025-44658

CRITICAL

Netgear RAX30 V1.0.10.94 - Remote Code Execution via PHP-FPM Misconfiguration

Title source: llm

Description

In Netgear RAX30 V1.0.10.94, a PHP-FPM misconfiguration vulnerability is caused by not following the specification to only limit FPM to .php extensions. An attacker may exploit this by uploading malicious scripts disguised with alternate extensions and tricking the web server into executing them as PHP, bypassing security mechanisms based on file extension filtering. This may lead to remote code execution (RCE), information disclosure, or full system compromise.

References (3)

Core 3

Core References

Broken Link

https://gist.github.com/TPCchecker/c72eea7a3f89070dab7dfdbf7504b2d6

Vendor Advisory

https://www.netgear.com/about/security/

Third Party Advisory

https://www.notion.so/CVE-2025-44658-24754a1113e780df8f72c779a108f75b

Scores

CVSS v3 9.8

EPSS 0.0096

EPSS Percentile 57.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

netgear/rax30_firmware 1.0.10.94

Published Jul 21, 2025

Tracked Since Feb 18, 2026