CVE-2024-23690

HighPublic PoC

Published: 04 February 2025

Published

04 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0084 74.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

The end-of-life Netgear FVS336Gv2 and FVS336Gv3 are affected by a command injection vulnerability in the Telnet interface. An authenticated and remote attacker can execute arbitrary OS commands as root over Telnet by sending crafted "util backup_configuration" commands.

Security Summary

CVE-2024-23690 is a command injection vulnerability (CWE-78) in the Telnet interface of the end-of-life Netgear FVS336Gv2 and FVS336Gv3 VPN firewalls. Published on 2025-02-04, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.

An authenticated remote attacker can exploit the vulnerability by sending crafted "util backup_configuration" commands over Telnet, enabling execution of arbitrary OS commands as root. This requires high privileges (PR:H) but no user interaction, allowing full system compromise on affected devices.

The primary advisory is available at https://vulncheck.com/advisories/netgear-fvs336g-rce. As the devices are end-of-life, no vendor patches are referenced.

Details

CWE(s): CWE-78

References

https://vulncheck.com/advisories/netgear-fvs336g-rce
disclosure@vulncheck.com