Netgear releases patches for two high-severity vulnerabilities
The network hardware giant Netgear has discovered two vulnerabilities affecting one of its router models and its network management software.
One of the flaws, tracked as CVE-2023-41183, allows hackers to access Netgear’s Orbi 760 routers and exploit them without needing authentication.
According to the Zero Day Initiative, the problem lies within the settings for the Simple Object Access Protocol (SOAP) API, which lets different software applications communicate. There isn't a proper process in place to confirm someone's identity before they're given permission to use certain SOAP functions, they said.
The bug has a score of 8.8 on the Common Vulnerability Scoring System (CVSS) scale, the widely-used public framework for analyzing vulnerabilities. Netgear has already released a patch for it.
“Netgear strongly recommends that you download the latest firmware as soon as possible,” the company’s advisory said, adding that it is not responsible for the consequences should customers fail to follow its security recommendations.
Another vulnerability, tracked as CVE-2023-41182, affects the company’s network management system ProSAFE. The flaw allows hackers to control and run their own code on the ProSAFE system.
Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed, the Zero Day Initiative said. The bug has a CVSS score of 7.2 and has been patched in the most recent version of ProSAFE.
There haven't been any reports of the vulnerabilities being exploited in the wild.
Netgear produces networking hardware equipment for consumers, businesses, and service providers. As of 2023, it has more than 800,000 total paid subscribers.
In January, it released fixes for another pre-authentication security vulnerability with a CVSS score of 7.4. It could allow hackers to install malware or carry out a number of other malicious activities
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.