Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (NETGEAR) · only source for this CVE.
CVSS VectorVendor: NETGEAR
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A NETGEAR security issue that could allow an attacker with ability to intercept and tamper with traffic between the router and the Internet to run commands on your device when the device administrator performs certain specific management actions. This issue affects NETGEAR Orbi 370 series devices before V12.1.2.7.
AnalysisAI
Remote command execution in NETGEAR Orbi 370 series routers (firmware before V12.1.2.7) is achievable by a network-positioned adversary who can intercept and tamper with traffic between the device and the internet. Exploitation requires the device administrator to perform specific management actions while the attacker holds a man-in-the-middle position, at which point a buffer overflow (CWE-119) is triggered allowing arbitrary command execution on the device. No public exploit exists at time of analysis and the vendor has released a patching firmware (V12.1.2.7); no KEV listing has been issued by CISA.
Technical ContextAI
The vulnerability is rooted in CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), consistent with the 'Buffer Overflow' tag supplied in the intelligence data, indicating that the Orbi 370 firmware fails to properly bound-check data received over its internet-facing management communication channel. The affected product is identified by CPE cpe:2.3:a:netgear:orbi_370 and applies specifically to the RBE372 hardware line running firmware versions prior to V12.1.2.7. The attack surface is the communication path between the router and NETGEAR's cloud or update infrastructure - a channel traversed during administrative management operations - meaning the overflow is triggered by maliciously crafted server-side responses injected via a MitM position rather than by direct client-initiated input. CVSS 4.0 attack vector AV:N with AC:H and AT:P (Additional Prerequisites required) confirms the network-reachable but conditionally exploitable nature of this channel.
RemediationAI
The primary remediation is to upgrade affected NETGEAR Orbi 370 (RBE372) devices to firmware version V12.1.2.7 or later, available through the vendor's support page at https://www.netgear.com/support/product/rbe372/. This is a vendor-released patch confirmed by the NETGEAR advisory and the EUVD record. For environments where immediate firmware upgrade is not possible, compensating controls should focus on disrupting the MitM prerequisite: enforce HTTPS certificate pinning or DNS-over-HTTPS for management traffic to make traffic interception and injection significantly harder, restrict administrative management operations to trusted network segments only, and audit network paths between the Orbi device and its upstream internet connection for unexpected ARP entries or routing anomalies. Note that disabling remote management entirely removes the attack surface for this specific trigger entirely, at the cost of loss of remote administration capability. No workaround fully substitutes for the firmware patch.
Same weakness CWE-119 – Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35450
GHSA-p428-r6gm-23pg