Login Sign Up

CVE-2023-40478

6.8 MEDIUM
Remote Code Execution Authentication Bypass Buffer Overflow

📋 TL;DR

This vulnerability allows network-adjacent attackers to execute arbitrary code as root on NETGEAR RAX30 routers by exploiting a stack-based buffer overflow in the telnet CLI service. Although authentication is required, the existing mechanism can be bypassed. Affected users are those with NETGEAR RAX30 routers running vulnerable firmware.

💻 Affected Systems

Products:
  • NETGEAR RAX30
Versions: Firmware versions prior to V1.0.11.96
Operating Systems: Router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Telnet service is enabled by default on affected firmware versions. The vulnerability requires network adjacency but authentication can be bypassed.

📦 What is this software?

Rax30 Firmware by Netgear

View all CVEs affecting Rax30 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full router compromise with root-level remote code execution, allowing attacker to intercept traffic, modify configurations, install persistent malware, or pivot to internal networks.

🟠

Likely Case

Router takeover leading to man-in-the-middle attacks, DNS hijacking, credential theft, and network disruption.

🟢

If Mitigated

Limited impact if telnet is disabled and proper network segmentation prevents adjacent network access.

🌐 Internet-Facing: LOW
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires network adjacency and bypassing authentication, but detailed technical analysis is publicly available from ZDI.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V1.0.11.96

Vendor Advisory: https://kb.netgear.com/000065649/Security-Advisory-for-Post-authentication-Buffer-Overflow-on-the-RAX30-PSV-2023-0002

Restart Required: Yes

Instructions:

1. Log into router web interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install V1.0.11.96 or later. 4. Reboot router after update completes.

🔧 Temporary Workarounds

Disable Telnet Service

all

Completely disable the telnet CLI service to prevent exploitation.

telnet disable

Restrict Network Access

all

Use firewall rules to block access to port 23 from untrusted networks.

🧯 If You Can't Patch

  • Disable telnet service immediately via router CLI or web interface
  • Implement strict network segmentation to isolate router from untrusted devices

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under Advanced > Administration > Firmware Update. If version is below V1.0.11.96, system is vulnerable.

Check Version:

show version (via telnet/SSH) or check web interface

Verify Fix Applied:

Confirm firmware version is V1.0.11.96 or later and verify telnet service is disabled or patched.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed authentication attempts on telnet port 23
  • Unusual telnet connections from internal IPs
  • Buffer overflow patterns in telnet logs

Network Indicators:

  • Unusual traffic to port 23 from internal sources
  • Telnet connections with abnormal payload sizes

SIEM Query:

source_port=23 AND (event_type="authentication_failure" OR payload_size>1024)

📊 Metadata

CVE ID: CVE-2023-40478
CVSS v3 Score: 6.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-121
Published: May 3, 2024
Last Updated: January 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-40478, you might also want to check these:

CVE-2024-39791 10.0

CVE-2024-39791 is a critical stack-based buffer overflow vulnerability in Vonets industrial WiFi bri...

Same vulnerability type (CWE-121)
CVE-2022-20699 10.0

This critical vulnerability in Cisco Small Business routers allows unauthenticated remote attackers ...

Same vulnerability type (CWE-121)
CVE-2022-20701 10.0

This CVE describes multiple critical vulnerabilities in Cisco Small Business RV series routers that ...

Same vulnerability type (CWE-121)