Skip to main content

NETGEAR RBE97x CVE-2026-0414

| EUVDEUVD-2026-35463 MEDIUM
Code Injection (CWE-94)
2026-06-09 NETGEAR GHSA-2w26-w7q4-pcw2
4.3
CVSS 4.0 · Vendor: NETGEAR
Share

Severity by source

Vendor (NETGEAR) PRIMARY
4.3 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (NETGEAR) · only source for this CVE.

CVSS VectorVendor: NETGEAR

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 09, 2026 - 20:13 vuln.today
CVSS changed
Jun 09, 2026 - 17:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 09, 2026 - 15:50 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Insufficient input validation vulnerability in the listed NETGEAR models allows authenticated administrators connected to the local network to make unauthorized modification of router software and functionality.

AnalysisAI

Code injection in NETGEAR RBE97x routers (firmware prior to V9.12.4.9) enables authenticated administrators on the local network to make unauthorized modifications to router software and functionality beyond their sanctioned scope. The vulnerability stems from insufficient input validation (CWE-94), where administrator-supplied input is not properly sanitized before being processed, potentially allowing execution of injected code. No public exploit exists and CISA SSVC classifies exploitation status as 'none', making this a low-urgency but valid integrity risk for environments where shared or compromised admin accounts are a concern.

Technical ContextAI

The root cause is CWE-94 (Improper Control of Generation of Code - Code Injection), where the router's administrative interface fails to adequately validate or sanitize input provided by authenticated administrators. This allows crafted input to be interpreted and executed as code rather than data, a classic injection pattern. The affected hardware is the NETGEAR RBE97x (CPE: cpe:2.3:a:netgear:rbe97x), a prosumer/SMB Wi-Fi 6 access point and router platform. The CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:H/UI:N) confirms the attack is adjacent-network only - the attacker must be physically or logically co-located on the same network segment - and requires high-privilege (administrator-level) credentials, sharply limiting the realistic attack surface.

RemediationAI

The primary fix is to upgrade NETGEAR RBE97x firmware to version V9.12.4.9 or later, which is available directly from NETGEAR at https://www.netgear.com/support/product/rbe970/. This is a vendor-released patch and is the recommended remediation. As a compensating control prior to patching, restrict administrative access to the router's management interface to only explicitly trusted devices and IP addresses using access control lists or VLAN segmentation; note this does not eliminate the vulnerability but reduces the population of potential abusers. Additionally, audit and rotate administrator credentials and enforce the principle of least privilege - avoid sharing admin accounts across multiple personnel. These controls reduce insider and compromised-credential risk but are not substitutes for applying the firmware update.

Share

CVE-2026-0414 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy