cbcvebase.
CVE-2023-49693
published 2023-11-29

CVE-2023-49693: NETGEAR ProSAFE Network Management System has Java Debug Wire Protocol (JDWP) listening on port 11611 and it is remotely accessible by unauthenticated users…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.15%
63.0th percentile
NETGEAR ProSAFE Network Management System has Java Debug Wire Protocol (JDWP) listening on port 11611 and it is remotely accessible by unauthenticated users, allowing attackers to execute arbitrary code.

Affected

2 ranges
VendorProductVersion rangeFixed in
netgearnetgear_prosafe_network_management_system< 1.7.0.341.7.0.34
netgearprosafe_network_management_system< 1.7.0.341.7.0.34

Detection & IOCsextracted from sources · hover to see the quote

port11611
commandexploit/multi/misc/java_jdwp_debugger
pathC:\Program Files\NMS300\NMS300\apache-tomcat-6.0.33\webapps\ROOT\cmd.jsp
filenamecmd.jsp
urlhttp://localhost:8080/cmd.jsp?c=whoami
command-Xdebug -Xrunjdwp:transport=dt_socket,address=11611,server=y,suspend=n
  • Detect unauthenticated inbound TCP connections to port 11611 on NMS300 hosts; this port exposes JDWP and should never be reachable from untrusted networks.
  • Alert on Metasploit module execution targeting JDWP: look for use of exploit/multi/misc/java_jdwp_debugger in endpoint or network telemetry.
  • Monitor for creation of JSP files (e.g., cmd.jsp) inside the Tomcat webapps/ROOT directory, especially via MySQL DUMPFILE writes, as this indicates the privilege escalation path.
  • Monitor HTTP requests to /cmd.jsp with query parameters (e.g., ?c=) on the NMS300 Tomcat instance (port 8080), which indicates a deployed web shell.
  • Detect JDWP breakpoints set on com.elite.wifi.manager.utils.AESSaltEncryptUtil.decrypt() or com.elite.wifi.manager.dbservice.user.UserService.userLogin() — these are targeted by attackers to intercept and decrypt admin credentials.
  • Check Windows registry key HKLM:\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\NMS300_Server\Parameters\Java\Options for the presence of -Xdebug and -Xrunjdwp flags to confirm vulnerable JDWP configuration.
  • ·The MySQL instance bundled with NMS300 listens on port 3311 with root credentials root:root, allowing any low-privileged OS user to write arbitrary files via SELECT INTO DUMPFILE.
  • ·The Tomcat web application runs under SYSTEM privileges, so any JSP webshell dropped into webapps/ROOT executes as NT AUTHORITY\SYSTEM.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.