cnvd - cnvd-2025-17535

CNVD-2025-17535

Vulnerability from cnvd - Published: 2025-07-29

Title

NETGEAR R6700v3授权问题漏洞

Description

NETGEAR R6700v3是美国网件推出的Nighthawk AC1750智能双频千兆路由器。 NETGEAR R6700v3存在授权问题漏洞，该漏洞源于在将用户提供的数据复制到缓冲区之前未正确验证其长度。攻击者可利用该漏洞执行代码。

Severity

高

Patch Name

NETGEAR R6700v3授权问题漏洞的补丁

Patch Description

NETGEAR R6700v3是美国网件推出的Nighthawk AC1750智能双频千兆路由器。 NETGEAR R6700v3存在授权问题漏洞，该漏洞源于在将用户提供的数据复制到缓冲区之前未正确验证其长度。攻击者可利用该漏洞执行代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级程序修复该安全问题，详情见厂商官网： https://kb.netgear.com/000064720/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0323

Reference

https://www.zerodayinitiative.com/advisories/ZDI-22-519/

Impacted products

Name
NETGEAR R6700v3 1.0.4.120_10.0.91

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-27643",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-27643"
    }
  },
  "description": "NETGEAR R6700v3\u662f\u7f8e\u56fd\u7f51\u4ef6\u63a8\u51fa\u7684Nighthawk AC1750\u667a\u80fd\u53cc\u9891\u5343\u5146\u8def\u7531\u5668\u3002\n\nNETGEAR R6700v3\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u5c06\u7528\u6237\u63d0\u4f9b\u7684\u6570\u636e\u590d\u5236\u5230\u7f13\u51b2\u533a\u4e4b\u524d\u672a\u6b63\u786e\u9a8c\u8bc1\u5176\u957f\u5ea6\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4ee3\u7801\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51\uff1a\r\nhttps://kb.netgear.com/000064720/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0323",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-17535",
  "openTime": "2025-07-29",
  "patchDescription": "NETGEAR R6700v3\u662f\u7f8e\u56fd\u7f51\u4ef6\u63a8\u51fa\u7684Nighthawk AC1750\u667a\u80fd\u53cc\u9891\u5343\u5146\u8def\u7531\u5668\u3002\r\n\r\nNETGEAR R6700v3\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u5c06\u7528\u6237\u63d0\u4f9b\u7684\u6570\u636e\u590d\u5236\u5230\u7f13\u51b2\u533a\u4e4b\u524d\u672a\u6b63\u786e\u9a8c\u8bc1\u5176\u957f\u5ea6\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "NETGEAR R6700v3\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "NETGEAR R6700v3 1.0.4.120_10.0.91"
  },
  "referenceLink": "https://www.zerodayinitiative.com/advisories/ZDI-22-519/",
  "serverity": "\u9ad8",
  "submitTime": "2022-03-25",
  "title": "NETGEAR R6700v3\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2022-27643 (GCVE-0-2022-27643)

Vulnerability from cvelistv5 – Published: 2023-03-29 00:00 – Updated: 2025-02-18 17:49

Summary

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700v3 1.0.4.120_10.0.91 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of SOAP requests. When parsing the SOAPAction header, the process does not properly validate the length of user-supplied data prior to copying it to a buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15692.

Severity ?

8.8 (High)


                        
                          CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Assigner

zdi

References

URL

Tags

	https://www.zerodayinitiative.com/advisories/ZDI-…
	https://kb.netgear.com/000064720/Security-Advisor…

Impacted products

	Vendor	Product	Version
	NETGEAR	R6700v3	Affected: 1.0.4.120_10.0.91

Credits

Stephen Fewer of Relyze Software Limited (www.relyze.com)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:32:59.967Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-519/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://kb.netgear.com/000064720/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0323"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-27643",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-18T17:49:08.208403Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-18T17:49:16.374Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "R6700v3",
          "vendor": "NETGEAR",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.4.120_10.0.91"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Stephen Fewer of Relyze Software Limited (www.relyze.com)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700v3 1.0.4.120_10.0.91 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of SOAP requests. When parsing the SOAPAction header, the process does not properly validate the length of user-supplied data prior to copying it to a buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15692."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-120",
              "description": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-03-29T00:00:00.000Z",
        "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "shortName": "zdi"
      },
      "references": [
        {
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-519/"
        },
        {
          "url": "https://kb.netgear.com/000064720/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0323"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
    "assignerShortName": "zdi",
    "cveId": "CVE-2022-27643",
    "datePublished": "2023-03-29T00:00:00.000Z",
    "dateReserved": "2022-03-22T00:00:00.000Z",
    "dateUpdated": "2025-02-18T17:49:16.374Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-17535

CVE-2022-27643 (GCVE-0-2022-27643)

Tags

Sightings

Nomenclature