CVE-2025-44658
Published: 21 July 2025
Summary
CVE-2025-44658 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Netgear Rax30 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).
Deeper analysis
CVE-2025-44658 is a PHP-FPM misconfiguration vulnerability in Netgear RAX30 firmware version 1.0.10.94. The flaw stems from failure to restrict PHP-FPM processing exclusively to files with .php extensions, allowing scripts with alternate extensions to be executed as PHP code. The issue is tracked under CWE-434 and carries a CVSS 3.1 base score of 9.8.
An unauthenticated remote attacker can upload a malicious file disguised with a non-.php extension and cause the web server to execute it, bypassing extension-based filters. Successful exploitation grants remote code execution, information disclosure, or full system compromise without requiring user interaction or credentials.
Public references point to a Netgear security page and a technical disclosure on GitHub, but no specific patch details or mitigation guidance are provided in the available sources. The associated EPSS score remains flat at 0.0132 with no material increase observed after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22119
Vulnerability details
In Netgear RAX30 V1.0.10.94, a PHP-FPM misconfiguration vulnerability is caused by not following the specification to only limit FPM to .php extensions. An attacker may exploit this by uploading malicious scripts disguised with alternate extensions and tricking the web server…
more
into executing them as PHP, bypassing security mechanisms based on file extension filtering. This may lead to remote code execution (RCE), information disclosure, or full system compromise.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via public-facing web server misconfiguration enabling disguised PHP script execution (web shell upload).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates secure configuration settings for PHP-FPM to restrict processing exclusively to .php extensions, directly preventing execution of malicious scripts disguised with alternate extensions.
Limits system to least functionality by prohibiting PHP-FPM from processing non-.php files, eliminating the misconfiguration that enables RCE via disguised uploads.
Requires timely identification, reporting, and correction of the PHP-FPM misconfiguration flaw in router firmware, mitigating RCE through patching.