Cyber Resilience

CVE-2025-25246

HighRCE

Published: 05 February 2025

Published
05 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0498 89.9th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25246 is a high-severity Code Injection (CWE-94) vulnerability in Netgear (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2025-25246 is an unauthenticated remote code execution vulnerability, tracked under CWE-94, that affects NETGEAR XR1000 firmware versions before 1.0.0.74, XR1000v2 versions before 1.1.0.22, and XR500 versions before 2.3.2.134. The flaw carries a CVSS 3.1 base score of 8.1 and permits an attacker to inject and execute arbitrary code on the affected router.

An unauthenticated attacker with network access can exploit the issue without user interaction or credentials, resulting in full compromise of confidentiality, integrity, and availability on the device. The attack requires high complexity according to the CVSS vector.

Netgear has published a security advisory (PSV-2023-0039) that details the affected models and provides remediation guidance at the referenced knowledge-base URL. The current EPSS score of 0.0498, which peaked at only 0.0917 before receding, indicates limited observed exploitation interest to date.

EU & UK References

Vulnerability details

NETGEAR XR1000 before 1.0.0.74, XR1000v2 before 1.1.0.22, and XR500 before 2.3.2.134 allow remote code execution by unauthenticated users.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated RCE on public-facing WiFi routers directly enables T1190 (Exploit Public-Facing Application) for initial access and T1059.004 (Unix Shell) for arbitrary code execution on the Linux-based device.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-29955Shared CWE-94
CVE-2024-55964Shared CWE-94
CVE-2026-20045Shared CWE-94
CVE-2025-67038Shared CWE-94
CVE-2024-23921Shared CWE-94
CVE-2024-53944Shared CWE-94
CVE-2024-44722Shared CWE-94
CVE-2026-25001Shared CWE-94
CVE-2025-25680Shared CWE-94
CVE-2026-43680Shared CWE-94

Affected Assets

Netgear
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Directly mitigates the unauthenticated RCE by requiring timely application of NETGEAR firmware patches to remediate the vulnerability.

preventdetect

Identifies the CVE-2025-25246 vulnerability in affected XR1000 and XR500 routers through vulnerability scanning, enabling remediation.

preventdetect

Ensures monitoring and response to vendor security advisories like NETGEAR PSV-2023-0039, facilitating awareness and patching of this RCE issue.

References