CVE-2025-44658 — CRITICAL (9.8)

Vulnerability Description

In Netgear RAX30 V1.0.10.94, a PHP-FPM misconfiguration vulnerability is caused by not following the specification to only limit FPM to .php extensions. An attacker may exploit this by uploading malicious scripts disguised with alternate extensions and tricking the web server into executing them as PHP, bypassing security mechanisms based on file extension filtering. This may lead to remote code execution (RCE), information disclosure, or full system compromise.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Netgear	Rax30 Firmware	1.0.10.94
Netgear	Rax30	-

Related Weaknesses (CWE)

CWE-434

References

https://gist.github.com/TPCchecker/c72eea7a3f89070dab7dfdbf7504b2d6Broken Link
https://www.netgear.com/about/security/Vendor Advisory
https://www.notion.so/CVE-2025-44658-24754a1113e780df8f72c779a108f75bThird Party Advisory

FAQ

What is CVE-2025-44658?

CVE-2025-44658 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In Netgear RAX30 V1.0.10.94, a PHP-FPM misconfiguration vulnerability is caused by not following the specification to only limit FPM to .php extensions. An attacker may exploit this by uploading malic...

How severe is CVE-2025-44658?

CVE-2025-44658 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2025-44658?

Check the references section above for vendor advisories and patch information. Affected products include: Netgear Rax30 Firmware, Netgear Rax30.