CVE-2025-12943 in RAX30
Summary
by MITRE • 11/11/2025
Improper certificate validation in firmware update logic in NETGEAR RAX30 (Nighthawk AX5 5-Stream AX2400 WiFi 6 Router) and RAXE300 (Nighthawk AXE7800 Tri-Band WiFi 6E Router) allows attackers with the ability to intercept and tamper traffic destined to the device to execute arbitrary commands on the device.
Devices with automatic updates enabled may already have this patch applied. If not, please check the firmware version and update to the latest.
Fixed in:
RAX30 firmware 1.0.14.108 or later.
RAXE300 firmware 1.0.9.82 or later
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/08/2025
This vulnerability represents a critical flaw in the firmware update mechanism of NETGEAR's RAX30 and RAXE300 wireless routers, specifically targeting the certificate validation process during firmware installation. The issue stems from improper validation of digital certificates used to authenticate firmware updates, creating a pathway for attackers to bypass security controls and execute arbitrary code on affected devices. The vulnerability is classified under CWE-295 which addresses improper certificate validation, a well-documented weakness in cryptographic implementations that directly impacts the integrity and authenticity of software updates.
The technical exploitation of this vulnerability requires an attacker to intercept network traffic between the router and the update server, then modify the firmware update packets to include malicious code. This type of attack aligns with ATT&CK technique T1072 which covers software deployment tools, and T1547.001 which involves registry run keys and startup scripts. The router's firmware update logic fails to properly verify the cryptographic signatures of firmware images, allowing attackers to inject modified firmware that executes with root privileges on the device. This creates a persistent backdoor that can be used for various malicious activities including network monitoring, data exfiltration, and further lateral movement within the network.
The operational impact of this vulnerability is severe as it provides attackers with complete control over the affected routers, enabling them to manipulate network traffic, redirect connections, and potentially compromise all devices connected to the network. The attack vector requires only the ability to intercept and tamper with traffic, making it particularly dangerous as it can be exploited through man-in-the-middle attacks or compromised network infrastructure. The vulnerability affects devices with automatic update features enabled, though manual verification of firmware versions is recommended to ensure proper mitigation. The patch addresses the certificate validation issue by implementing proper signature verification mechanisms that ensure firmware integrity before installation.
NETGEAR has addressed this vulnerability through firmware updates for both affected models, requiring users to upgrade to specific versions to remediate the issue. The RAX30 router requires firmware version 1.0.14.108 or later, while the RAXE300 requires version 1.0.9.82 or later. Organizations should prioritize updating these devices as the vulnerability provides attackers with a straightforward path to gain persistent access to network infrastructure. The fix implements proper certificate chain validation and signature verification that aligns with industry standards for secure firmware update processes. This vulnerability highlights the critical importance of robust cryptographic validation in embedded systems and the potential consequences of inadequate security controls in network infrastructure devices.