CVE-2013-4775
published 2013-12-19CVE-2013-4775: NETGEAR ProSafe GS724Tv3 and GS716Tv2 with firmware 5.4.1.13 and earlier; GS748Tv4 with firmware 5.4.1.14; GS510TP with firmware 5.4.0.6; GS752TPS, GS728TPS…
PriorityP260high7.8CVSS 2.0
AVNACLAuNCCINAN
EXPLOIT
EPSS
14.96%
96.3th percentile
NETGEAR ProSafe GS724Tv3 and GS716Tv2 with firmware 5.4.1.13 and earlier; GS748Tv4 with firmware 5.4.1.14; GS510TP with firmware 5.4.0.6; GS752TPS, GS728TPS, GS728TS, and GS725TS with firmware 5.3.0.17; and GS752TXS and GS728TXS with firmware 6.1.0.12 allows remote attackers to read encrypted administrator credentials and other startup configurations via a direct request to filesystem/startup-config.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netgear | prosafe_firmware | <= 5.4.1.13 | — |
| netgear | prosafe_firmware | <= 5.4.1.14 | — |
| netgear | prosafe_firmware | — | — |
| netgear | prosafe_firmware | — | — |
| netgear | prosafe_firmware | — | — |
| netgear | prosafe_firmware | — | — |
| netgear | prosafe_firmware | — | — |
| netgear | prosafe_firmware | — | — |
| netgear | prosafe_gs724t | — | — |
| netgear | prosafe_gs748t | — | — |
| netgear | prosafe_s716t | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on any unauthenticated HTTP GET request to the path /filesystem/startup-config on NETGEAR ProSafe device management interfaces, as this is the direct path exploited to retrieve encrypted credentials and startup configuration. ↗
- →Monitor for HTTP requests to /filesystem/startup-config accompanied by the User-Agent string 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)', which is used by the public PoC exploit. ↗
- ·The vulnerability affects multiple NETGEAR ProSafe firmware versions across several device models; ensure detection coverage applies to all affected firmware branches (5.4.1.13 and earlier, 5.4.1.14, 5.4.0.6, 5.3.0.17, and 6.1.0.12). ↗
- ·The retrieved startup-config contains encrypted administrator credentials, meaning credential exposure is present even if the attacker cannot immediately decrypt them; treat any successful retrieval of this file as a critical incident. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2013-12-19
Published