CVE-2025-4135: Netgear WG302v2 ui_get_input_value command injection

5.3 CVSS

Description

A vulnerability was found in Netgear WG302v2 up to 5.2.9 and classified as critical. Affected by this issue is the function ui_get_input_value. The manipulation of the argument host leads to command injection. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way. Eine Schwachstelle wurde in Netgear WG302v2 bis 5.2.9 gefunden. Sie wurde als kritisch eingestuft. Es geht hierbei um die Funktion ui_get_input_value. Dank Manipulation des Arguments host mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden.

Classification

CVE ID: CVE-2025-4135

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Problem Types

Command Injection Injection

Affected Products

Vendor: Netgear

Product: WG302v2

Exploit Prediction Scoring System (EPSS)

EPSS Score: 1.33% (probability of being exploited)

EPSS Percentile: 78.84% (scored less or equal to compared to others)

EPSS Date: 2025-05-07 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-4135
https://vuldb.com/?id.306626
https://vuldb.com/?ctiid.306626
https://vuldb.com/?submit.560779
https://github.com/jylsec/vuldb/blob/main/Netgear/netgear_WG302v2/Command_injection-basic_settings_handler-static-ip-update/README.md
https://www.netgear.com/

Timeline

2025-04-30 18:40:19 UTC
CVE

Netgear WG302v2 ui_get_input_value command injection