CVE-2025-44658
Published: 21 July 2025
Summary
CVE-2025-44658 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Netgear Rax30 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates secure configuration settings for PHP-FPM to restrict processing exclusively to .php extensions, directly preventing execution of malicious scripts disguised with alternate extensions.
Limits system to least functionality by prohibiting PHP-FPM from processing non-.php files, eliminating the misconfiguration that enables RCE via disguised uploads.
Requires timely identification, reporting, and correction of the PHP-FPM misconfiguration flaw in router firmware, mitigating RCE through patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via public-facing web server misconfiguration enabling disguised PHP script execution (web shell upload).
NVD Description
In Netgear RAX30 V1.0.10.94, a PHP-FPM misconfiguration vulnerability is caused by not following the specification to only limit FPM to .php extensions. An attacker may exploit this by uploading malicious scripts disguised with alternate extensions and tricking the web server…
more
into executing them as PHP, bypassing security mechanisms based on file extension filtering. This may lead to remote code execution (RCE), information disclosure, or full system compromise.
Deeper analysisAI
CVE-2025-44658 is a PHP-FPM misconfiguration vulnerability in the Netgear RAX30 router running firmware version V1.0.10.94. The flaw stems from a failure to follow PHP-FPM specifications that restrict processing to files with .php extensions only. This misconfiguration enables the web server to interpret and execute files with alternative extensions as PHP scripts.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely by unauthenticated attackers with low complexity and no user interaction. Attackers can upload malicious scripts disguised with non-.php extensions, tricking the web server into executing them as PHP and bypassing security controls reliant on file extension filtering. Successful exploitation may result in remote code execution (RCE), information disclosure, or full system compromise, mapped to CWE-434 (Unrestricted Upload of File with Dangerous Type).
Mitigation details and advisories are available through Netgear's security page at https://www.netgear.com/about/security/, with additional technical analysis provided in a Gist at https://gist.github.com/TPCchecker/c72eea7a3f89070dab7dfdbf7504b2d6 and a Notion document at https://www.notion.so/CVE-2025-44658-24754a1113e780df8f72c779a108f75b. The CVE was published on 2025-07-21.
Details
- CWE(s)