Cyber Resilience

CVE-2025-44658

CriticalUpdated

Published: 21 July 2025

Published
21 July 2025
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0101 58.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-44658 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Netgear Rax30 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).

Deeper analysis

CVE-2025-44658 is a PHP-FPM misconfiguration vulnerability in Netgear RAX30 firmware version 1.0.10.94. The flaw stems from failure to restrict PHP-FPM processing exclusively to files with .php extensions, allowing scripts with alternate extensions to be executed as PHP code. The issue is tracked under CWE-434 and carries a CVSS 3.1 base score of 9.8.

An unauthenticated remote attacker can upload a malicious file disguised with a non-.php extension and cause the web server to execute it, bypassing extension-based filters. Successful exploitation grants remote code execution, information disclosure, or full system compromise without requiring user interaction or credentials.

Public references point to a Netgear security page and a technical disclosure on GitHub, but no specific patch details or mitigation guidance are provided in the available sources. The associated EPSS score remains flat at 0.0132 with no material increase observed after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In Netgear RAX30 V1.0.10.94, a PHP-FPM misconfiguration vulnerability is caused by not following the specification to only limit FPM to .php extensions. An attacker may exploit this by uploading malicious scripts disguised with alternate extensions and tricking the web server…

more

into executing them as PHP, bypassing security mechanisms based on file extension filtering. This may lead to remote code execution (RCE), information disclosure, or full system compromise.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Direct RCE via public-facing web server misconfiguration enabling disguised PHP script execution (web shell upload).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-50002Shared CWE-434
CVE-2015-10135Shared CWE-434
CVE-2025-69312Shared CWE-434
CVE-2015-10144Shared CWE-434
CVE-2025-7852Shared CWE-434
CVE-2026-37748Shared CWE-434
CVE-2025-49387Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2026-6518Shared CWE-434
CVE-2025-67968Shared CWE-434

Affected Assets

netgear
rax30 firmware
1.0.10.94

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates secure configuration settings for PHP-FPM to restrict processing exclusively to .php extensions, directly preventing execution of malicious scripts disguised with alternate extensions.

prevent

Limits system to least functionality by prohibiting PHP-FPM from processing non-.php files, eliminating the misconfiguration that enables RCE via disguised uploads.

preventrecover

Requires timely identification, reporting, and correction of the PHP-FPM misconfiguration flaw in router firmware, mitigating RCE through patching.

References