Login Sign Up

CVE-2023-40479

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows attackers on the same local network to execute arbitrary commands with root privileges on NETGEAR RAX30 routers without authentication. The flaw exists in the UPnP service due to improper input validation when processing user-supplied strings for system calls. Only NETGEAR RAX30 router users are affected.

💻 Affected Systems

Products:
  • NETGEAR RAX30
Versions: Firmware versions prior to V1.0.10.94
Operating Systems: Router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: UPnP is typically enabled by default on NETGEAR routers. The vulnerability requires network adjacency (same LAN).

📦 What is this software?

Rax30 Firmware by Netgear

View all CVEs affecting Rax30 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing attacker to intercept all network traffic, install persistent malware, pivot to other devices, or brick the router.

🟠

Likely Case

Router takeover enabling DNS hijacking, credential theft from connected devices, or botnet recruitment.

🟢

If Mitigated

No impact if router is patched or UPnP is disabled on isolated networks.

🌐 Internet-Facing: LOW (requires local network access, not directly internet exploitable)
🏢 Internal Only: HIGH (any device on the local network can exploit without authentication)

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit code has been published and requires minimal technical skill to execute on the local network.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V1.0.10.94 or later

Vendor Advisory: https://kb.netgear.com/000065645/Security-Advisory-for-Multiple-Vulnerabilities-on-the-RAX30-PSV-2022-0360-PSV-2022-0361

Restart Required: Yes

Instructions:

1. Log into router admin interface (typically 192.168.1.1 or routerlogin.net). 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install V1.0.10.94 or later. 4. Reboot router after update completes.

🔧 Temporary Workarounds

Disable UPnP

all

Turn off Universal Plug and Play service to prevent exploitation

Network Segmentation

all

Isolate router management interface from untrusted devices

🧯 If You Can't Patch

  • Disable UPnP immediately in router settings
  • Implement strict network segmentation and firewall rules to limit LAN access

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under Advanced > Administration > Firmware Update. If version is below V1.0.10.94, you are vulnerable.

Check Version:

No CLI command - check via web interface at 192.168.1.1 or routerlogin.net

Verify Fix Applied:

Confirm firmware version is V1.0.10.94 or higher in router admin interface.

📡 Detection & Monitoring

Log Indicators:

  • Unusual UPnP service activity
  • Unexpected system command execution in router logs
  • Multiple failed UPnP requests from single internal IP

Network Indicators:

  • Malformed UPnP requests to router on port 1900/udp or 5000/tcp
  • Unusual outbound connections from router after UPnP activity

SIEM Query:

source="router" AND (process="upnp" OR port=1900 OR port=5000) AND (command="*" OR shell="*")

📊 Metadata

CVE ID: CVE-2023-40479
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: May 3, 2024
Last Updated: January 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-40479, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)