NETGEAR RAX30 Device Configuration Cleartext Storage Information Disclosure Vulnerability
CVE-2023-27370

5.7MEDIUM

Key Information:

Vendor: Netgear
Status: Rax30
Vendor: CVE Published:; 3 May 2024

Summary

The NETGEAR RAX30 router exhibits a vulnerability related to the handling of device configuration. This issue arises from the insecure storage of configuration secrets in plaintext, which enables network-adjacent attackers to disclose sensitive information. Although exploitation requires authentication, the vulnerability allows for this mechanism to be bypassed. Attackers can leverage this flaw to gain access to stored credentials, potentially leading to further compromises in network security.

Affected Version(s)

RAX30 1.0.9.90_3

References

https://www.zerodayinitiative.com/advisories/ZDI-23-501/

x_research-advisory

https://kb.netgear.com/000065619/Security-Advisory-for-Mu...

vendor-advisory

CVSS V3.1

Score:

5.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 3, 2024
Vulnerability Reserved
Feb 28, 2023