CVE-2025-44658
📋 TL;DR
This vulnerability allows attackers to upload malicious scripts with non-.php extensions that the Netgear RAX30 router's PHP-FPM configuration incorrectly executes as PHP code. This bypasses standard file extension filtering, potentially leading to remote code execution. All users running Netgear RAX30 firmware version V1.0.10.94 are affected.
💻 Affected Systems
- Netgear RAX30
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control of the router, allowing network traffic interception, credential theft, and lateral movement to connected devices.
Likely Case
Remote code execution leading to router configuration changes, malware deployment, or creation of persistent backdoors.
If Mitigated
Attack blocked at perimeter with proper file upload validation and web application firewalls in place.
🎯 Exploit Status
Exploitation requires file upload capability; the vulnerability makes it easier to bypass extension-based filtering.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://www.netgear.com/about/security/
Restart Required: No
Instructions:
Check Netgear security advisory for updates; no official patch currently available for this specific CVE.
🔧 Temporary Workarounds
Restrict PHP-FPM to .php extensions only
linuxModify PHP-FPM configuration to only process files with .php extension as per PHP-FPM specification
Edit php-fpm.conf or pool configuration file
Ensure 'security.limit_extensions = .php' is set
Implement strict file upload validation
allAdd server-side validation to check file content type and extension before processing
🧯 If You Can't Patch
- Disable file upload functionality entirely if not required
- Implement web application firewall (WAF) rules to block suspicious file upload attempts
🔍 How to Verify
Check if Vulnerable:
Check if PHP-FPM processes files with non-.php extensions by attempting to upload a test file with .txt extension containing PHP code and checking if it executesCheck Version:
Login to router admin interface and check firmware version in System InformationVerify Fix Applied:
Verify that only .php files are processed by PHP-FPM and other extensions return as plain text or error📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads with non-standard extensions
- PHP execution errors for non-.php files
- Increased POST requests to upload endpoints
Network Indicators:
- HTTP POST requests with file uploads to router management interface
- Unexpected outbound connections from router
SIEM Query:
source="router_logs" AND (extension="*.txt" OR extension="*.jpg" OR extension="*.png") AND uri="*upload*"