Details of VAR-202203-1667

ID

VAR-202203-1667

CVE

CVE-2022-27643

TITLE

Classic buffer overflow vulnerability in multiple Netgear products

Trust: 0.8

sources: JVNDB: JVNDB-2022-021794

DESCRIPTION

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700v3 1.0.4.120_10.0.91 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of SOAP requests. When parsing the SOAPAction header, the process does not properly validate the length of user-supplied data prior to copying it to a buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15692. R6400 firmware, R6700 firmware, R6900P A classic buffer overflow vulnerability exists in multiple Netgear products, including firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The NETGEAR R6700v3 is a Nighthawk AC1750 Smart Dual-Band Gigabit Router from NETGEAR

Trust: 2.88

sources: NVD: CVE-2022-27643 // JVNDB: JVNDB-2022-021794 // ZDI: ZDI-22-519 // CNVD: CNVD-2025-17535 // VULMON: CVE-2022-27643

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-17535

AFFECTED PRODUCTS

vendor:	netgear	model:	wndr3400	scope:	lt	version:	1.0.1.44	Trust: 1.0
vendor:	netgear	model:	r6700	scope:	lt	version:	1.0.4.126	Trust: 1.0
vendor:	netgear	model:	wnr3500l	scope:	lt	version:	1.2.0.72	Trust: 1.0
vendor:	netgear	model:	r6400	scope:	lt	version:	1.0.4.126	Trust: 1.0
vendor:	netgear	model:	ex6130	scope:	lt	version:	1.0.0.48	Trust: 1.0
vendor:	netgear	model:	r6400	scope:	lt	version:	1.0.1.78	Trust: 1.0
vendor:	netgear	model:	r7960p	scope:	lt	version:	1.4.3.88	Trust: 1.0
vendor:	netgear	model:	r8000p	scope:	lt	version:	1.4.3.88	Trust: 1.0
vendor:	netgear	model:	d7000v2	scope:	lt	version:	1.0.0.80	Trust: 1.0
vendor:	netgear	model:	r7100lg	scope:	lt	version:	1.0.0.76	Trust: 1.0
vendor:	netgear	model:	rax75	scope:	lt	version:	1.0.6.138	Trust: 1.0
vendor:	netgear	model:	dc112a	scope:	lt	version:	1.0.0.64	Trust: 1.0
vendor:	netgear	model:	d6220	scope:	lt	version:	1.0.0.80	Trust: 1.0
vendor:	netgear	model:	ex3700	scope:	lt	version:	1.0.0.96	Trust: 1.0
vendor:	netgear	model:	r7850	scope:	lt	version:	1.0.5.84	Trust: 1.0
vendor:	netgear	model:	rs400	scope:	lt	version:	1.5.1.86	Trust: 1.0
vendor:	netgear	model:	r8500	scope:	lt	version:	1.0.2.158	Trust: 1.0
vendor:	netgear	model:	ex6120	scope:	lt	version:	1.0.0.68	Trust: 1.0
vendor:	netgear	model:	ex3800	scope:	lt	version:	1.0.0.96	Trust: 1.0
vendor:	netgear	model:	r7000p	scope:	lt	version:	1.3.3.148	Trust: 1.0
vendor:	netgear	model:	r7000	scope:	lt	version:	1.0.11.134	Trust: 1.0
vendor:	netgear	model:	r7900p	scope:	lt	version:	1.4.3.88	Trust: 1.0
vendor:	netgear	model:	d6400	scope:	lt	version:	1.0.0.114	Trust: 1.0
vendor:	netgear	model:	r6900p	scope:	lt	version:	1.3.3.148	Trust: 1.0
vendor:	netgear	model:	r8000	scope:	lt	version:	1.0.4.84	Trust: 1.0
vendor:	netgear	model:	xr300	scope:	lt	version:	1.0.3.72	Trust: 1.0
vendor:	netgear	model:	rax80	scope:	lt	version:	1.0.6.138	Trust: 1.0
vendor:	netgear	model:	rax200	scope:	lt	version:	1.0.6.138	Trust: 1.0
vendor:	ネットギア	model:	xr300	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	r7960p	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	r8000	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	r7100lg	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	r7850	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	r6700	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	wndr3400	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	r6400	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	r8500	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	rs400	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	r7000p	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	r6900p	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	wnr3500l	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	rax75	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	r7900p	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	r7000	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	rax80	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	rax200	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	r8000p	scope:	-	version:	-	Trust: 0.8
vendor:	netgear	model:	r6700v3	scope:	-	version:	-	Trust: 0.7
vendor:	netgear	model:	r6700v3 1.0.4.120 10.0.91	scope:	-	version:	-	Trust: 0.6

sources: ZDI: ZDI-22-519 // CNVD: CNVD-2025-17535 // JVNDB: JVNDB-2022-021794 // NVD: CVE-2022-27643

CVSS

SEVERITY

CVSSV2

CVSSV3

zdi-disclosures@trendmicro.com:	CVE-2022-27643
value:	HIGH
Trust: 1.0
nvd@nist.gov:	CVE-2022-27643
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-27643
value:	HIGH
Trust: 0.8
ZDI:	CVE-2022-27643
value:	HIGH
Trust: 0.7
CNVD:	CNVD-2025-17535
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202203-2053
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2025-17535
severity:	HIGH
baseScore:	8.3
vectorString:	AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.5
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

zdi-disclosures@trendmicro.com:	CVE-2022-27643
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2022-27643
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
ZDI:	CVE-2022-27643
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-22-519 // CNVD: CNVD-2025-17535 // JVNDB: JVNDB-2022-021794 // CNNVD: CNNVD-202203-2053 // NVD: CVE-2022-27643 // NVD: CVE-2022-27643

PROBLEMTYPE DATA

problemtype:	CWE-120	Trust: 1.0
problemtype:	Classic buffer overflow (CWE-120) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-021794 // NVD: CVE-2022-27643

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202203-2053

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202203-2053

PATCH

title:	NETGEAR has issued an update to correct this vulnerability.	url:	https://kb.netgear.com/000064720/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0323	Trust: 0.7
title:	Patch for NETGEAR R6700v3 Authorization Issue Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/713031	Trust: 0.6
title:	NETGEAR R6700v3 Remediation measures for authorization problem vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=231212	Trust: 0.6
title:	-	url:	https://github.com/H4lo/awesomt-IoT-security-article	Trust: 0.1
title:	-	url:	https://github.com/H4lo/awesome-IoT-security-article	Trust: 0.1

sources: ZDI: ZDI-22-519 // CNVD: CNVD-2025-17535 // VULMON: CVE-2022-27643 // CNNVD: CNNVD-202203-2053

EXTERNAL IDS

db:	NVD	id:	CVE-2022-27643	Trust: 4.6
db:	ZDI	id:	ZDI-22-519	Trust: 3.8
db:	JVNDB	id:	JVNDB-2022-021794	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-15692	Trust: 0.7
db:	CNVD	id:	CNVD-2025-17535	Trust: 0.6
db:	CS-HELP	id:	SB2022032410	Trust: 0.6
db:	CNNVD	id:	CNNVD-202203-2053	Trust: 0.6
db:	VULMON	id:	CVE-2022-27643	Trust: 0.1

sources: ZDI: ZDI-22-519 // CNVD: CNVD-2025-17535 // VULMON: CVE-2022-27643 // JVNDB: JVNDB-2022-021794 // CNNVD: CNNVD-202203-2053 // NVD: CVE-2022-27643

REFERENCES

url:	https://www.zerodayinitiative.com/advisories/zdi-22-519/	Trust: 3.7
url:	https://kb.netgear.com/000064720/security-advisory-for-pre-authentication-buffer-overflow-on-multiple-products-psv-2021-0323	Trust: 3.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-27643	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-27643/	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022032410	Trust: 0.6
url:	https://github.com/h4lo/awesomt-iot-security-article	Trust: 0.1

sources: ZDI: ZDI-22-519 // CNVD: CNVD-2025-17535 // VULMON: CVE-2022-27643 // JVNDB: JVNDB-2022-021794 // CNNVD: CNNVD-202203-2053 // NVD: CVE-2022-27643

CREDITS

Stephen Fewer of Relyze Software Limited (www.relyze.com)

Trust: 1.3

sources: ZDI: ZDI-22-519 // CNNVD: CNNVD-202203-2053

SOURCES

db:	ZDI	id:	ZDI-22-519
db:	CNVD	id:	CNVD-2025-17535
db:	VULMON	id:	CVE-2022-27643
db:	JVNDB	id:	JVNDB-2022-021794
db:	CNNVD	id:	CNNVD-202203-2053
db:	NVD	id:	CVE-2022-27643

LAST UPDATE DATE

2025-08-06T22:55:28.160000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-22-519	date:	2022-03-23T00:00:00
db:	CNVD	id:	CNVD-2025-17535	date:	2025-08-05T00:00:00
db:	JVNDB	id:	JVNDB-2022-021794	date:	2023-11-14T04:15:00
db:	CNNVD	id:	CNNVD-202203-2053	date:	2023-04-06T00:00:00
db:	NVD	id:	CVE-2022-27643	date:	2023-04-05T15:06:04.507

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-22-519	date:	2022-03-23T00:00:00
db:	CNVD	id:	CNVD-2025-17535	date:	2025-07-29T00:00:00
db:	JVNDB	id:	JVNDB-2022-021794	date:	2023-11-14T00:00:00
db:	CNNVD	id:	CNNVD-202203-2053	date:	2022-03-23T00:00:00
db:	NVD	id:	CVE-2022-27643	date:	2023-03-29T19:15:08.497