CVE-2025-12943 is a vulnerability classified under CWE-295 (Improper Certificate Validation) found in the firmware update logic of NETGEAR RAX30 (Nighthawk AX5 5-Stream AX2400 WiFi 6 Router) and RAXE300 (Nighthawk AXE7800 Tri-Band WiFi 6E Router). The flaw stems from the routers failing to properly validate digital certificates during the firmware update process. This improper validation allows an attacker with the capability to intercept and tamper with network traffic destined for the device to inject malicious firmware or commands. Because the update mechanism trusts unauthenticated or improperly validated certificates, attackers can execute arbitrary commands on the affected devices, potentially gaining control over them. The vulnerability does not require user interaction or authentication, increasing its risk profile, but exploitation requires network-level access to intercept traffic, such as via a man-in-the-middle (MitM) attack. NETGEAR has addressed this issue in firmware versions 1.0.14.108 or later for RAX30 and 1.0.9.82 or later for RAXE300. Devices with automatic updates enabled may already be patched. The CVSS 4.0 base score is 5.2 (medium severity), reflecting the attack vector (adjacent network), low attack complexity, no privileges required, and no user interaction needed, but with limited scope and moderate impact on confidentiality, integrity, and availability.

The vulnerability allows attackers to execute arbitrary commands on affected routers by exploiting improper certificate validation during firmware updates. This can lead to full device compromise, enabling attackers to alter router configurations, intercept or redirect network traffic, deploy persistent malware, or disrupt network availability. Organizations relying on these routers for network connectivity risk exposure of sensitive data, loss of network integrity, and potential lateral movement within internal networks. The impact extends to both enterprise and home users, especially where these routers serve as primary network gateways. Given the routers’ role in WiFi 6 and WiFi 6E environments, the vulnerability could affect high-speed and high-capacity networks, amplifying the potential damage. Although no exploits are currently known in the wild, the ease of exploitation by attackers with network access makes timely patching critical to prevent compromise.

1. Immediately verify the firmware version on all NETGEAR RAX30 and RAXE300 devices and upgrade to firmware versions 1.0.14.108 or later for RAX30 and 1.0.9.82 or later for RAXE300. 2. Enable automatic firmware updates if not already active to ensure timely application of security patches. 3. Restrict network access to router management interfaces and firmware update endpoints to trusted networks only, reducing the risk of MitM attacks. 4. Employ network segmentation and monitoring to detect unusual traffic patterns indicative of interception or tampering attempts. 5. Use encrypted and authenticated management protocols (e.g., HTTPS, SSH) for router administration to prevent interception. 6. Educate network administrators about the risks of certificate validation flaws and the importance of verifying firmware authenticity. 7. Consider deploying network intrusion detection systems (NIDS) capable of identifying suspicious firmware update traffic or command injection attempts. 8. For critical environments, consider additional network-layer protections such as VPNs or secure tunnels to protect update traffic from interception.