CVE-2025-44658
CRITICALNetgear Rax30 Firmware - Unrestricted File Upload
Title source: ruleDescription
In Netgear RAX30 V1.0.10.94, a PHP-FPM misconfiguration vulnerability is caused by not following the specification to only limit FPM to .php extensions. An attacker may exploit this by uploading malicious scripts disguised with alternate extensions and tricking the web server into executing them as PHP, bypassing security mechanisms based on file extension filtering. This may lead to remote code execution (RCE), information disclosure, or full system compromise.
References (3)
Core 3
Core References
Vendor Advisory
https://www.netgear.com/about/security/
Third Party Advisory
https://www.notion.so/CVE-2025-44658-24754a1113e780df8f72c779a108f75b
Scores
CVSS v3
9.8
EPSS
0.0049
EPSS Percentile
65.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-434
Status
published
Products (1)
netgear/rax30_firmware
1.0.10.94
Published
Jul 21, 2025
Tracked Since
Feb 18, 2026