Login Sign Up

CVE-2023-27368

8.8 HIGH
Remote Code Execution Authentication Bypass Buffer Overflow

📋 TL;DR

This vulnerability allows network-adjacent attackers to execute arbitrary code on NETGEAR RAX30 routers without authentication. Attackers can exploit a stack-based buffer overflow in the soap_serverd binary to bypass authentication and gain control of affected devices. Only NETGEAR RAX30 router users are affected.

💻 Affected Systems

Products:
  • NETGEAR RAX30
Versions: Firmware versions prior to V1.0.10.94
Operating Systems: Router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. The soap_serverd service runs by default and is accessible from the LAN side.

📦 What is this software?

Rax30 Firmware by Netgear

View all CVEs affecting Rax30 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing attackers to intercept all network traffic, install persistent malware, pivot to internal networks, and use the router as part of a botnet.

🟠

Likely Case

Router takeover enabling traffic interception, DNS hijacking, credential theft, and lateral movement to connected devices.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though router functionality could still be disrupted.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

No public PoC available but technical details are published. Exploitation requires network adjacency but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V1.0.10.94

Vendor Advisory: https://kb.netgear.com/000065619/Security-Advisory-for-Multiple-Vulnerabilities-on-the-RAX30-PSV-2022-0348

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install V1.0.10.94 or later. 4. Reboot router after update completes.

🔧 Temporary Workarounds

Disable SOAP service

all

Disable the vulnerable soap_serverd service if not required

Network segmentation

all

Isolate router management interface to trusted VLAN

🧯 If You Can't Patch

  • Replace affected router with patched model
  • Implement strict network access controls to limit LAN-side access to router

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under Advanced > Administration > Firmware Update

Check Version:

Not applicable - check via web interface

Verify Fix Applied:

Confirm firmware version is V1.0.10.94 or later in admin interface

📡 Detection & Monitoring

Log Indicators:

  • Unusual SOAP requests to router
  • Multiple failed authentication attempts followed by successful access
  • Unexpected process crashes in router logs

Network Indicators:

  • Unusual outbound connections from router
  • DNS queries to suspicious domains from router
  • Unexpected traffic redirection

SIEM Query:

source="router_logs" AND ("soap_serverd" OR "buffer overflow" OR "authentication bypass")

📊 Metadata

CVE ID: CVE-2023-27368
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-121
Published: May 3, 2024
Last Updated: January 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27368, you might also want to check these:

CVE-2024-39791 10.0

CVE-2024-39791 is a critical stack-based buffer overflow vulnerability in Vonets industrial WiFi bri...

Same vulnerability type (CWE-121)
CVE-2022-20699 10.0

This critical vulnerability in Cisco Small Business routers allows unauthenticated remote attackers ...

Same vulnerability type (CWE-121)
CVE-2022-20701 10.0

This CVE describes multiple critical vulnerabilities in Cisco Small Business RV series routers that ...

Same vulnerability type (CWE-121)