CVE-2023-41182 – This vulnerability in NETGEAR ProSAFE Network M... (How to Fix)

Q: What is the severity of CVE-2023-41182?

CVE-2023-41182 has a CVSS score of 8.8 (HIGH). This vulnerability in NETGEAR ProSAFE Network Management System allows authenticated attackers to bypass authentication and execute arbitrary code with SYSTEM privileges via directory traversal in the ZipUtils class. It affects NETGEAR ProSAFE NMS installations where attackers can upload malicious zip files containing path traversal sequences. Organizations using this network management system are at risk.

📋 TL;DR

This vulnerability in NETGEAR ProSAFE Network Management System allows authenticated attackers to bypass authentication and execute arbitrary code with SYSTEM privileges via directory traversal in the ZipUtils class. It affects NETGEAR ProSAFE NMS installations where attackers can upload malicious zip files containing path traversal sequences. Organizations using this network management system are at risk.

💻 Affected Systems

Products:

NETGEAR ProSAFE Network Management System

Versions: Versions prior to 1.7.0.22

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authentication but authentication can be bypassed according to advisory. System runs with SYSTEM privileges by default.

📦 What is this software?

Prosafe Network Management System by Netgear

View all CVEs affecting Prosafe Network Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, allowing attackers to install malware, steal credentials, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Unauthorized access to sensitive network management data, configuration tampering, and potential lateral movement within the network.

🟢

If Mitigated

Limited to authenticated users only, but authentication bypass makes this less effective; proper network segmentation could contain damage.

🌐 Internet-Facing: HIGH - If the NMS is exposed to the internet, attackers can exploit this remotely after bypassing authentication.

🏢 Internal Only: HIGH - Even internally, authenticated users or compromised accounts can exploit this for privilege escalation and lateral movement.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Authentication required but can be bypassed. Exploit involves crafting malicious zip files with directory traversal sequences. ZDI has published technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.0.22

Vendor Advisory: https://kb.netgear.com/000065705/Security-Advisory-for-Post-authentication-Command-Injection-on-the-Prosafe-Network-Management-System-PSV-2023-0037

Restart Required: Yes

Instructions:

1. Download version 1.7.0.22 from NETGEAR support portal. 2. Backup current configuration. 3. Stop NMS service. 4. Install update. 5. Restart service. 6. Verify functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate NMS system from internet and restrict access to authorized management networks only

Access Control

all

Implement strict authentication controls and monitor for authentication bypass attempts

🧯 If You Can't Patch

Remove internet-facing access immediately and restrict to management VLAN only
Implement application whitelisting to prevent execution of unauthorized code

🔍 How to Verify

Check if Vulnerable:

Check NMS version in web interface or via 'About' section. Versions below 1.7.0.22 are vulnerable.

Check Version:

Check web interface at https://[nms-ip]:port or review installed programs in Windows Control Panel

Verify Fix Applied:

Verify version is 1.7.0.22 or higher in NMS interface and test zip file upload functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual zip file uploads
Authentication bypass attempts
Process creation with SYSTEM privileges from NMS service

Network Indicators:

Unusual outbound connections from NMS server
Traffic to unexpected ports from NMS

SIEM Query:

source="nms_logs" AND (event="zip_upload" OR event="auth_bypass" OR process="cmd.exe" OR process="powershell.exe")

📊 Metadata

CVE ID: CVE-2023-41182

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: May 3, 2024

Last Updated: February 7, 2025

🔗 References

https://kb.netgear.com/000065705/Security-Advisory-for-Post-authentication-Command-Injection-on-the-Prosafe-Network-Management-System-PSV-2023-0037 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-1284/ Third Party Advisory
https://kb.netgear.com/000065705/Security-Advisory-for-Post-authentication-Command-Injection-on-the-Prosafe-Network-Management-System-PSV-2023-0037 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-1284/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-41182, you might also want to check these: