CVE-2025-44658 is a critical vulnerability affecting the Netgear RAX30 router firmware version 1.0.10.94. The root cause is a misconfiguration in the PHP-FPM (FastCGI Process Manager) setup, where the server does not strictly limit script execution to files with the .php extension as per the specification. This misconfiguration allows an attacker to upload malicious scripts with alternate file extensions that the web server mistakenly executes as PHP code. By bypassing file extension filtering mechanisms, an attacker can execute arbitrary code remotely on the device without any authentication or user interaction. The consequences of successful exploitation include remote code execution (RCE), which can lead to full system compromise, unauthorized information disclosure, and potentially persistent control over the router. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and has a CVSS v3.1 base score of 9.8, indicating critical severity. The attack vector is network-based with no privileges or user interaction required, making exploitation straightforward for remote attackers. Although no known exploits are currently reported in the wild, the high severity and ease of exploitation make this a significant threat to affected devices. The lack of available patches at the time of disclosure further increases the risk to users of this router model.

For European organizations, the impact of CVE-2025-44658 can be severe, especially for those relying on Netgear RAX30 routers in their network infrastructure. Compromise of these routers can lead to unauthorized access to internal networks, interception or manipulation of sensitive data, and disruption of network availability. Given that routers are critical network gateways, attackers gaining control could pivot to other internal systems, escalate privileges, or launch further attacks such as man-in-the-middle or lateral movement. This can affect confidentiality, integrity, and availability of organizational data and services. Small and medium enterprises (SMEs) and home offices using this router model are particularly vulnerable due to limited IT security resources and patch management capabilities. Additionally, compromised routers can be enlisted into botnets, amplifying threats to broader internet infrastructure and potentially impacting European critical infrastructure sectors. The vulnerability’s network-exploitable nature and lack of authentication requirements heighten the risk of widespread exploitation if not mitigated promptly.

To mitigate CVE-2025-44658, European organizations and users should take immediate and specific actions beyond generic advice: 1) Identify all Netgear RAX30 devices within the network and isolate them if possible until a patch is available. 2) Monitor network traffic for unusual activity originating from or targeting these routers, including unexpected outbound connections or command-and-control communications. 3) Disable remote management interfaces on the router to reduce exposure to external attackers. 4) Implement network segmentation to limit the impact of a compromised router on critical systems. 5) Use web application firewalls or intrusion detection/prevention systems (IDS/IPS) to detect and block attempts to upload or execute malicious scripts. 6) Regularly check Netgear’s official channels for firmware updates or security advisories addressing this vulnerability and apply patches immediately upon release. 7) As a temporary workaround, if feasible, reconfigure PHP-FPM settings to strictly enforce execution only of .php files or disable PHP-FPM if not required. 8) Educate IT staff and users about the risks of this vulnerability and the importance of timely updates and secure configuration. These targeted steps will help reduce the attack surface and limit potential damage until a permanent fix is deployed.