Skip to main content

NETGEAR Orbi CVE-2026-0415

| EUVDEUVD-2026-35464 MEDIUM
Improper Input Validation (CWE-20)
2026-06-09 NETGEAR GHSA-q37p-q3j4-w7g6
4.3
CVSS 4.0 · Vendor: NETGEAR
Share

Severity by source

Vendor (NETGEAR) PRIMARY
4.3 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (NETGEAR) · only source for this CVE.

CVSS VectorVendor: NETGEAR

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 09, 2026 - 20:12 vuln.today
CVSS changed
Jun 09, 2026 - 17:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 09, 2026 - 15:50 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Insufficient input validation vulnerability in the listed NETGEAR models allows authenticated administrators connected to the local network to make unauthorized modification of router software and functionality.

AnalysisAI

Insufficient input validation across multiple NETGEAR Orbi mesh router models (RBR/RBS/RBE series) permits authenticated administrators on the local network to make unauthorized modifications to router software and functionality beyond their intended privilege scope. Affected are all firmware versions prior to V7.2.8.5 on most Orbi models and prior to V9.12.4.9 on the RBE97x series. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; NETGEAR self-reported and has released patched firmware addressing the flaw.

Technical ContextAI

The affected devices are NETGEAR's Orbi mesh networking product line, spanning satellite (RBS), router (RBR), and enterprise/business-grade (RBE) models including the RBR750, RBR840, RBR850, RBR860, RBRE950, RBRE960, RBE97x, RBS750, RBS840, RBS850, and associated RBSE variants. The root cause is CWE-20 (Improper Input Validation) - the firmware's administrative interface fails to sufficiently validate or constrain inputs supplied by authenticated administrator sessions, allowing inputs that should be rejected to reach sensitive software modification pathways. The CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:H/UI:N) confirms the attack surface is the adjacent local network (LAN/Wi-Fi), that no special attack preconditions beyond admin credentials are required, and that no user interaction is needed once authenticated. Despite being tagged 'Authentication Bypass,' the vector PR:H indicates the bypass is one of authorization scope rather than authentication itself - a legitimately authenticated admin can exceed the bounds of permitted operations.

RemediationAI

The primary remediation is to upgrade firmware to the patched versions released by NETGEAR: V7.2.8.5 or later for RBR750, RBR840, RBR850, RBR860, RBRE950, RBRE960, RBS750, RBS840, RBS850, RBS860, RBSE950, and RBSE960; and V9.12.4.9 or later for the RBE97x series. Firmware updates can be applied via the Orbi web administration interface or the Orbi mobile app. NETGEAR product-specific advisory and firmware download pages include: https://www.netgear.com/support/product/rbr850/, https://www.netgear.com/support/product/rbr750/, https://www.netgear.com/support/product/rbr860/, https://www.netgear.com/support/product/rbs850/, https://www.netgear.com/support/product/rbs750/, https://www.netgear.com/support/product/rbs840/, https://www.netgear.com/support/product/rbr840/, https://www.netgear.com/support/product/rbre950/, https://www.netgear.com/support/product/rbre960/, and https://www.netgear.com/support/product/rbe970/. As a compensating control prior to patching, administrators should rotate all Orbi admin credentials and enforce unique, complex passwords to reduce the risk of credential compromise that would enable exploitation. Restricting physical and Wi-Fi access to the local network segment hosting the Orbi routers limits adjacent-network exposure but does not eliminate risk from insider threats.

Share

CVE-2026-0415 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy