CVE-2025-12943 is a vulnerability classified under CWE-295 (Improper Certificate Validation) found in the firmware update logic of NETGEAR RAX30 (Nighthawk AX5 5-Stream AX2400 WiFi 6 Router) and RAXE300 (Nighthawk AXE7800 Tri-Band WiFi 6E Router). The core issue is that the devices do not correctly validate the authenticity of certificates during the firmware update process. This improper validation allows an attacker with the capability to intercept and manipulate network traffic—such as via a man-in-the-middle (MitM) attack—to inject malicious firmware or commands. Successful exploitation leads to arbitrary command execution on the device, potentially allowing full control over the router. The vulnerability is particularly dangerous because it does not require any authentication or user interaction, only network access sufficient to intercept traffic destined for the device. The CVSS v4.0 score is 5.2 (medium), reflecting the attack vector as adjacent network, low attack complexity, no privileges required, and no user interaction, but with high impact on confidentiality, integrity, and availability. NETGEAR has addressed this issue in firmware versions 1.0.14.108 for RAX30 and 1.0.9.82 for RAXE300. Devices with automatic updates enabled may already be patched, but manual verification and updating are recommended. No known exploits have been reported in the wild as of now.

For European organizations, this vulnerability poses a significant risk to network infrastructure security, especially in environments where NETGEAR RAX30 or RAXE300 routers are deployed. Exploitation could lead to unauthorized control over routers, enabling attackers to intercept, modify, or redirect network traffic, potentially compromising sensitive data confidentiality and integrity. It could also disrupt network availability by causing device malfunction or denial of service. Given the widespread use of these routers in small to medium enterprises and home office setups, the vulnerability could serve as a foothold for lateral movement into corporate networks. The ability to execute arbitrary commands without authentication increases the risk of persistent compromise and deployment of further malware or ransomware. The threat is exacerbated in scenarios where network segmentation is weak or where these devices serve as primary gateways to critical systems.

European organizations should immediately verify the firmware versions of all NETGEAR RAX30 and RAXE300 devices and update them to at least versions 1.0.14.108 and 1.0.9.82 respectively. For devices with automatic updates disabled, enable this feature or implement scheduled manual update checks. Network administrators should monitor network traffic for signs of MitM attacks, such as unexpected certificate changes or unusual firmware update requests. Employ network segmentation to isolate router management interfaces from general user traffic and restrict access to trusted administrators only. Use encrypted management protocols (e.g., SSH, HTTPS) and strong authentication mechanisms for router access. Additionally, consider deploying network intrusion detection systems (NIDS) to detect anomalous activities related to firmware updates. Regularly audit device configurations and logs for unauthorized changes. Finally, educate users and administrators about the risks of connecting to untrusted networks where MitM attacks are more feasible.