CVE-2023-28337

Name of the Vulnerable Software and Affected Versions Netgear Nighthawk Wifi6 Router (RAX30) (affected versions not specified)

Description The issue is related to a lack of access control in the firmware image upload handler of the Netgear Nighthawk Wifi6 Router (RAX30). A hidden forceFWUpdate parameter can be used to force the upgrade to complete, bypassing certain validation checks. This allows end users to upload modified, unofficial, and potentially malicious firmware to the device. The vulnerability can be exploited by a remote attacker to execute arbitrary code.

Recommendations As a temporary workaround, consider disabling the firmware upload feature until a patch is available. Restrict access to the firmware upload module to minimize the risk of exploitation. Avoid using the forceFWUpdate parameter in the firmware upload process until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.