Cyber Resilience

CVE-2023-44449

High

Published: 03 May 2024

Published
03 May 2024
Modified
07 February 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1509 94.7th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-44449 is a high-severity SQL Injection (CWE-89) vulnerability in Netgear Prosafe Network Management System. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 5.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-44449 is a SQL injection vulnerability in the clearAlertByIds function of NETGEAR ProSAFE Network Management System. The flaw stems from insufficient validation of user-supplied input used to build SQL queries, allowing authenticated attackers to escalate privileges on affected installations. It carries a CVSS 3.1 score of 8.8 and is tracked under CWE-89; the issue was originally reported as ZDI-CAN-21875.

An authenticated remote attacker can supply crafted input to the vulnerable function and leverage the resulting SQL injection to access resources and perform actions normally restricted to higher-privileged accounts. No unauthenticated exploitation path is described.

NETGEAR advisory PSV-2023-0114 and the corresponding Zero Day Initiative bulletin ZDI-23-1717 recommend applying the vendor-supplied updates for NMS300 to address the issue. The EPSS score has remained at 0.1509 with no material increase since disclosure.

EU & UK References

Vulnerability details

NETGEAR ProSAFE Network Management System clearAlertByIds SQL Injection Privilege Escalation Vulnerability. This vulnerability allows remote attackers to escalate privileges on affected installations of NETGEAR ProSAFE Network Management System. Authentication is required to exploit this vulnerability. The specific flaw exists within…

more

the clearAlertByIds function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user. Was ZDI-CAN-21875.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

netgear
prosafe network management system
≤ 1.7.0.31

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References