Command Injection Vulnerability in Netgear FVS336Gv2 and FVS336Gv3 Routers
CVE-2024-23690

7.2HIGH

Key Information:

Vendor: Netgear
Status: Fvs336gv3; Fvs336gv2
Vendor: CVE Published:; 4 February 2025

Summary

The Netgear FVS336Gv2 and FVS336Gv3 routers are vulnerable to a command injection issue via the Telnet interface. This allows an authenticated attacker to execute arbitrary operating system commands with root privileges. By sending maliciously crafted 'util backup_configuration' commands, an attacker can gain unauthorized access, potentially leading to further exploitation of the device. Users are advised to disable Telnet and migrate to supported products to enhance their security.

Affected Version(s)

FVS336Gv2 0 <= 4.3.3-6

FVS336Gv3 0 <= 4.3.5-3

References

https://vulncheck.com/advisories/netgear-fvs336g-rce

third-party-advisory

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 4, 2025
Vulnerability Reserved
Jan 19, 2024

Credit

Jacob Baines