Details of VAR-202305-0024

ID

VAR-202305-0024

CVE

CVE-2023-27357

TITLE

of netgear RAX30 Vulnerability related to lack of authentication for critical functions in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2023-027708

DESCRIPTION

NETGEAR RAX30 GetInfo Missing Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR RAX30 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of SOAP requests. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose sensitive information, leading to further compromise. Was ZDI-CAN-19608. NETGEAR RAX30 is a dual-band wireless router from NETGEAR

Trust: 2.79

sources: NVD: CVE-2023-27357 // JVNDB: JVNDB-2023-027708 // ZDI: ZDI-23-497 // CNVD: CNVD-2025-11215

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-11215

AFFECTED PRODUCTS

vendor:	netgear	model:	rax30	scope:	-	version:	-	Trust: 1.3
vendor:	netgear	model:	rax30	scope:	lt	version:	1.0.10.94	Trust: 1.0
vendor:	ネットギア	model:	rax30	scope:	eq	version:	-	Trust: 0.8
vendor:	ネットギア	model:	rax30	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	rax30	scope:	eq	version:	rax30 firmware 1.0.10.94	Trust: 0.8

sources: ZDI: ZDI-23-497 // CNVD: CNVD-2025-11215 // JVNDB: JVNDB-2023-027708 // NVD: CVE-2023-27357

CVSS

SEVERITY

CVSSV2

CVSSV3

zdi-disclosures@trendmicro.com:	CVE-2023-27357
value:	MEDIUM
Trust: 1.0
nvd@nist.gov:	CVE-2023-27357
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2023-27357
value:	MEDIUM
Trust: 0.8
ZDI:	CVE-2023-27357
value:	MEDIUM
Trust: 0.7
CNVD:	CNVD-2025-11215
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2025-11215
severity:	MEDIUM
baseScore:	6.1
vectorString:	AV:A/AC:L/AU:N/C:C/I:N/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.5
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

zdi-disclosures@trendmicro.com:	CVE-2023-27357
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2023-27357
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
ZDI:	CVE-2023-27357
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-23-497 // CNVD: CNVD-2025-11215 // JVNDB: JVNDB-2023-027708 // NVD: CVE-2023-27357 // NVD: CVE-2023-27357

PROBLEMTYPE DATA

problemtype:	CWE-306	Trust: 1.0
problemtype:	Lack of authentication for critical features (CWE-306) [NVD evaluation ]	Trust: 0.8
problemtype:	Lack of authentication for critical features (CWE-306) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-027708 // NVD: CVE-2023-27357

PATCH

title:	NETGEAR has issued an update to correct this vulnerability.	url:	https://kb.netgear.com/000065619/Security-Advisory-for-Multiple-Vulnerabilities-on-the-RAX30-PSV-2022-0348	Trust: 0.7
title:	Patch for NETGEAR RAX30 Information Disclosure Vulnerability (CNVD-2025-11215)	url:	https://www.cnvd.org.cn/patchInfo/show/692191	Trust: 0.6

sources: ZDI: ZDI-23-497 // CNVD: CNVD-2025-11215

EXTERNAL IDS

db:	NVD	id:	CVE-2023-27357	Trust: 3.9
db:	ZDI	id:	ZDI-23-497	Trust: 2.5
db:	JVNDB	id:	JVNDB-2023-027708	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-19608	Trust: 0.7
db:	CNVD	id:	CNVD-2025-11215	Trust: 0.6

sources: ZDI: ZDI-23-497 // CNVD: CNVD-2025-11215 // JVNDB: JVNDB-2023-027708 // NVD: CVE-2023-27357

REFERENCES

url:	https://kb.netgear.com/000065619/security-advisory-for-multiple-vulnerabilities-on-the-rax30-psv-2022-0348	Trust: 2.5
url:	https://www.zerodayinitiative.com/advisories/zdi-23-497/	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2023-27357	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2023-27357	Trust: 0.6

sources: ZDI: ZDI-23-497 // CNVD: CNVD-2025-11215 // JVNDB: JVNDB-2023-027708 // NVD: CVE-2023-27357

CREDITS

Claroty Research - Vera Mens, Noam Moshe, Uri Katz, Sharon Brizinov

Trust: 0.7

sources: ZDI: ZDI-23-497

SOURCES

db:	ZDI	id:	ZDI-23-497
db:	CNVD	id:	CNVD-2025-11215
db:	JVNDB	id:	JVNDB-2023-027708
db:	NVD	id:	CVE-2023-27357

LAST UPDATE DATE

2025-06-02T23:30:35.429000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-23-497	date:	2023-05-01T00:00:00
db:	CNVD	id:	CNVD-2025-11215	date:	2025-05-30T00:00:00
db:	JVNDB	id:	JVNDB-2023-027708	date:	2025-01-06T04:22:00
db:	NVD	id:	CVE-2023-27357	date:	2025-01-03T17:29:55.853

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-23-497	date:	2023-05-01T00:00:00
db:	CNVD	id:	CNVD-2025-11215	date:	2025-05-27T00:00:00
db:	JVNDB	id:	JVNDB-2023-027708	date:	2025-01-06T00:00:00
db:	NVD	id:	CVE-2023-27357	date:	2024-05-03T02:15:13.500