CVE-2023-27360 – This vulnerability allows network-adjacent atta... (How to Fix)

Q: What is the severity of CVE-2023-27360?

CVE-2023-27360 has a CVSS score of 8.8 (HIGH). This vulnerability allows network-adjacent attackers to execute arbitrary code as root on NETGEAR RAX30 routers without authentication, due to a misconfiguration in the lighttpd HTTP server that permits execution of untrusted files. It affects users of NETGEAR RAX30 routers with vulnerable firmware versions.

📋 TL;DR

This vulnerability allows network-adjacent attackers to execute arbitrary code as root on NETGEAR RAX30 routers without authentication, due to a misconfiguration in the lighttpd HTTP server that permits execution of untrusted files. It affects users of NETGEAR RAX30 routers with vulnerable firmware versions.

💻 Affected Systems

Products:

NETGEAR RAX30

Versions: Firmware versions prior to 1.0.10.94

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: This is a default configuration issue in the lighttpd server setup on affected firmware versions.

📦 What is this software?

Rax30 Firmware by Netgear

View all CVEs affecting Rax30 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains full root control over the router, enabling them to intercept traffic, deploy malware, or pivot to other network devices.

🟠

Likely Case

Attackers exploit the vulnerability to install backdoors, steal credentials, or launch attacks on internal network resources.

🟢

If Mitigated

With proper patching and network segmentation, the impact is limited to isolated network segments, preventing broader compromise.

🌐 Internet-Facing: MEDIUM with brief explanation: While the router may be internet-facing, exploitation typically requires network adjacency, reducing direct internet exposure risk.

🏢 Internal Only: HIGH with brief explanation: Attackers on the local network can easily exploit this without authentication, posing a significant internal threat.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward for network-adjacent attackers due to the lack of authentication requirements and misconfiguration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version 1.0.10.94 or later

Vendor Advisory: https://kb.netgear.com/000065559/Security-Advisory-for-Multiple-Vulnerabilities-on-the-RAX30-PSV-2022-0352

Restart Required: Yes

Instructions:

1. Log into the NETGEAR RAX30 router admin interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install firmware version 1.0.10.94 or later. 4. Reboot the router after installation.

🔧 Temporary Workarounds

Disable Remote Management

all

Turn off remote management features to reduce attack surface from network-adjacent threats.

Log into router admin, go to Advanced > Administration > Remote Management, set to 'Turn Off'

Network Segmentation

all

Isolate the router on a separate VLAN to limit lateral movement in case of compromise.

Configure VLANs on your network switch or firewall to segment router traffic

🧯 If You Can't Patch

Disconnect the router from untrusted networks and restrict access to trusted devices only.
Monitor network traffic for unusual activity and implement strict firewall rules to block unauthorized access attempts.

🔍 How to Verify

Check if Vulnerable:

Check the firmware version in the router admin interface under Advanced > Administration > Firmware Update; if version is below 1.0.10.94, it is vulnerable.

Check Version:

Log into router admin and navigate to Advanced > Administration > Firmware Update to view current version.

Verify Fix Applied:

After updating, confirm the firmware version is 1.0.10.94 or higher in the same admin section.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to lighttpd server, unexpected file executions, or root privilege escalations in system logs.

Network Indicators:

Suspicious traffic patterns to router management ports, such as port 80/443 from unauthorized internal IPs.

SIEM Query:

Example: 'source="router_logs" AND (event="file_execution" OR event="root_access")'

📊 Metadata

CVE ID: CVE-2023-27360

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-345

Published: May 3, 2024

Last Updated: January 3, 2025

🔗 References

https://kb.netgear.com/000065559/Security-Advisory-for-Multiple-Vulnerabilities-on-the-RAX30-PSV-2022-0352 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-496/ Third Party Advisory
https://kb.netgear.com/000065559/Security-Advisory-for-Multiple-Vulnerabilities-on-the-RAX30-PSV-2022-0352 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-496/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27360, you might also want to check these: