CVSS: 6.5EPSS: 1%CPEs: 10EXPL: 0CVE-2025-4135 – Netgear WG302v2 ui_get_input_value command injection
https://notcve.org/view.php?id=CVE-2025-4135
30 Apr 2025 — A vulnerability was found in Netgear WG302v2 up to 5.2.9 and classified as critical. Affected by this issue is the function ui_get_input_value. The manipulation of the argument host leads to command injection. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way. • https://github.com/jylsec/vuldb/blob/main/Netgear/netgear_WG302v2/Command_injection-basic_settings_handler-static-ip-update/README.md • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.0EPSS: 1%CPEs: 4EXPL: 0CVE-2023-38921
https://notcve.org/view.php?id=CVE-2023-38921
07 Aug 2023 — Netgear WG302v2 v5.2.9 and WAG302v2 v5.1.19 were discovered to contain multiple command injection vulnerabilities in the upgrade_handler function via the firmwareRestore and firmwareServerip parameters. • https://github.com/FirmRec/IoT-Vulns/tree/main/netgear/upgrade_handler • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •