NETGEAR ProSAFE Network Management System MFileUploadController Unrestricted File Upload Remote Code Execution Vulnerability
CVE-2023-38095

8.8HIGH

Key Information:

Vendor: Netgear
Status: Prosafe Network Management System
Vendor: CVE Published:; 3 May 2024

Summary

A vulnerability exists in the MFileUploadController class of NETGEAR ProSAFE Network Management System that enables remote attackers to execute arbitrary code. This security flaw stems from inadequate validation of user-supplied data, facilitating the upload of potentially harmful files. Although exploitation of this vulnerability requires user authentication, the current mechanism can be bypassed, allowing adversaries to gain unauthorized access. The impact of this vulnerability enables attackers to run code with SYSTEM privileges, heightening the risk of significant security breaches across affected installations.

Affected Version(s)

ProSAFE Network Management System 1.7.0.12 (Win64)

References

https://www.zerodayinitiative.com/advisories/ZDI-23-921/

x_research-advisory

https://kb.netgear.com/000065707/Security-Advisory-for-Mu...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 3, 2024
Vulnerability Reserved
Jul 12, 2023