CVE-2023-27358 – This vulnerability allows network-adjacent atta... (How to Fix)

Q: What is the severity of CVE-2023-27358?

CVE-2023-27358 has a CVSS score of 8.8 (HIGH). This vulnerability allows network-adjacent attackers to execute SQL injection via unauthenticated SOAP requests on NETGEAR RAX30 routers, potentially leading to remote code execution. Attackers can exploit this without authentication to compromise the router. All users of affected NETGEAR RAX30 routers are at risk.

📋 TL;DR

This vulnerability allows network-adjacent attackers to execute SQL injection via unauthenticated SOAP requests on NETGEAR RAX30 routers, potentially leading to remote code execution. Attackers can exploit this without authentication to compromise the router. All users of affected NETGEAR RAX30 routers are at risk.

💻 Affected Systems

Products:

NETGEAR RAX30

Versions: Versions prior to V1.0.10.94

Operating Systems: Router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing attacker to intercept all network traffic, install persistent malware, pivot to internal network devices, and use router as attack platform.

🟠

Likely Case

Router compromise leading to credential theft, DNS hijacking, man-in-the-middle attacks, and network disruption.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though router remains vulnerable to adjacent attackers.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network adjacency but no authentication. Multiple public PoCs exist demonstrating SQL injection and RCE chain.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V1.0.10.94 or later

Vendor Advisory: https://kb.netgear.com/000065617/Security-Advisory-for-Authentication-Bypass-on-Some-Routers-PSV-2022-0349

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install V1.0.10.94 or later. 4. Reboot router after update completes.

🔧 Temporary Workarounds

Disable SOAP services

all

Disable SOAP/UPnP services if not required

Network segmentation

all

Isolate router management interface from user networks

🧯 If You Can't Patch

Replace router with patched model or different vendor
Implement strict network access controls to limit adjacent network access

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is below V1.0.10.94, system is vulnerable.

Check Version:

Check via router web interface at Advanced > Administration > Firmware Update

Verify Fix Applied:

Confirm firmware version is V1.0.10.94 or higher in router admin interface.

📡 Detection & Monitoring

Log Indicators:

Unusual SOAP request patterns
SQL error messages in logs
Unexpected process execution

Network Indicators:

Unusual SOAP traffic to router management interface
SQL injection patterns in HTTP requests

SIEM Query:

source="router_logs" AND ("SOAP" OR "sql" OR "injection") AND dest_ip="router_ip"

📊 Metadata

CVE ID: CVE-2023-27358

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: May 3, 2024

Last Updated: January 9, 2025

🔗 References

https://kb.netgear.com/000065617/Security-Advisory-for-Authentication-Bypass-on-Some-Routers-PSV-2022-0349 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-502/ Third Party Advisory
https://kb.netgear.com/000065617/Security-Advisory-for-Authentication-Bypass-on-Some-Routers-PSV-2022-0349 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-502/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27358, you might also want to check these: