CVE-2023-44449
Published: 03 May 2024
Summary
CVE-2023-44449 is a high-severity SQL Injection (CWE-89) vulnerability in Netgear Prosafe Network Management System. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 5.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-44449 is a SQL injection vulnerability in the clearAlertByIds function of NETGEAR ProSAFE Network Management System. The flaw stems from insufficient validation of user-supplied input used to build SQL queries, allowing authenticated attackers to escalate privileges on affected installations. It carries a CVSS 3.1 score of 8.8 and is tracked under CWE-89; the issue was originally reported as ZDI-CAN-21875.
An authenticated remote attacker can supply crafted input to the vulnerable function and leverage the resulting SQL injection to access resources and perform actions normally restricted to higher-privileged accounts. No unauthenticated exploitation path is described.
NETGEAR advisory PSV-2023-0114 and the corresponding Zero Day Initiative bulletin ZDI-23-1717 recommend applying the vendor-supplied updates for NMS300 to address the issue. The EPSS score has remained at 0.1509 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-48789
Vulnerability details
NETGEAR ProSAFE Network Management System clearAlertByIds SQL Injection Privilege Escalation Vulnerability. This vulnerability allows remote attackers to escalate privileges on affected installations of NETGEAR ProSAFE Network Management System. Authentication is required to exploit this vulnerability. The specific flaw exists within…
more
the clearAlertByIds function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user. Was ZDI-CAN-21875.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.