Skip to main content

NETGEAR Orbi CVE-2026-0411

| EUVDEUVD-2026-35465 MEDIUM
Information Exposure (CWE-200)
2026-06-09 NETGEAR GHSA-j8rf-h5jg-xxh6
4.2
CVSS 4.0 · Vendor: NETGEAR
Share

Severity by source

Vendor (NETGEAR) PRIMARY
4.2 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (NETGEAR) · only source for this CVE.

CVSS VectorVendor: NETGEAR

CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 09, 2026 - 20:14 vuln.today
CVSS changed
Jun 09, 2026 - 17:22 NVD
4.2 (MEDIUM)
CVE Published
Jun 09, 2026 - 15:50 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

An information disclosure vulnerability in the NETGEAR Orbi satellites could allow a user connected to your network to gain administrator access to the Orbi router. The listed NETGEAR models are affected by this vulnerability.

Orbi WiFi Systems without satellite devices are not impacted by this issue.

AnalysisAI

Information disclosure in NETGEAR Orbi satellite devices (RBR350, RBR760, RBS350, RBS760, RBE97x) allows a low-privileged user on the same network to obtain administrator access to the Orbi router. The flaw resides specifically in the satellite-to-router communication layer, as NETGEAR explicitly confirms Orbi systems deployed without satellites are unaffected. No public exploit exists (CVSS E:U) and CISA SSVC rates exploitation as none, but the high secondary impact scores (SC:H/SI:H/SA:H) reflect that successful exploitation yields full router compromise.

Technical ContextAI

The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to Unauthorized Actor), indicating the Orbi satellite units improperly disclose sensitive data - likely administrator credentials, session tokens, or configuration material - accessible to a network-adjacent user. The CVSS 4.0 vector uses AV:A (adjacent network), confirming exploitation is bounded to the same LAN or wireless segment; remote internet-based exploitation is architecturally precluded. The AT:P modifier in CVSS 4.0 indicates a prerequisite attack condition must be met, consistent with the requirement that at least one satellite device be paired and active. Affected CPEs span both the router units (cpe:2.3:a:netgear:rbr350, cpe:2.3:a:netgear:rbr760) and satellite units (cpe:2.3:a:netgear:rbs350, cpe:2.3:a:netgear:rbs760, cpe:2.3:a:netgear:rbe97x), pointing to a flaw in the inter-device mesh communication protocol rather than the router's standalone web interface.

RemediationAI

Apply the vendor-released firmware patches immediately: update RBR350 and RBS350 devices to V4.4.2.2 or later, and update RBR760, RBS760, and RBE97x devices to V6.3.8.11 or later. Firmware can be downloaded directly from the NETGEAR support pages linked in the affected products section. Both the router and satellite units in a mesh system should be updated together, as the vulnerability spans the satellite-to-router communication layer. For deployments where immediate patching is not feasible, network segmentation is the most targeted compensating control: placing the Orbi management network on a dedicated VLAN and isolating untrusted users (e.g., guests) from the same L2 segment prevents adjacent-network access - note this may require managed switch infrastructure and will restrict guest connectivity features. As a more disruptive but complete temporary mitigation, disabling satellite devices until patching is complete eliminates the attack surface entirely at the cost of reduced mesh coverage area.

Share

CVE-2026-0411 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy