Skip to main content

NETGEAR JR6150 CVE-2026-0419

| EUVDEUVD-2026-35454 MEDIUM
Improper Input Validation (CWE-20)
2026-06-09 NETGEAR GHSA-whpf-5jfj-q9v4
4.4
CVSS 4.0 · Vendor: NETGEAR
Share

Severity by source

Vendor (NETGEAR) PRIMARY
4.4 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:D/RE:L/U:Amber

Primary rating from Vendor (NETGEAR) · only source for this CVE.

CVSS VectorVendor: NETGEAR

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:D/RE:L/U:Amber
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 09, 2026 - 20:06 vuln.today
CVSS changed
Jun 09, 2026 - 17:22 NVD
4.4 (MEDIUM)
CVE Published
Jun 09, 2026 - 15:50 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Insufficient input validation in NETGEAR JR6150 (AC750 WiFi Router 802.11ac Dual Band Gigabit released in 2014) allows users connected to the local WiFi Networks to execute operating system commands. NETGEAR JR6150 has reached End-of-Support phase as of 2018 , and no further security updates are planned. NETGEAR strongly recommends replacing these devices with newer NETGEAR models to ensure continued security support and updates.

This vulnerability has been identified through firmware emulation in a controlled research environment and has not been verified on production hardware.

AnalysisAI

OS command injection in NETGEAR JR6150 firmware (all versions ≤ 1.0.1.26) allows locally authenticated or WiFi-connected users to execute arbitrary operating system commands via insufficient input validation (CWE-20). The device reached End-of-Support in 2018 and NETGEAR will not release a patch, leaving all deployments permanently unmitigated. No public exploit code exists and active exploitation has not been confirmed (not listed in CISA KEV), but the perpetual absence of patching makes device replacement the only durable remediation.

Technical ContextAI

The NETGEAR JR6150 is an AC750 dual-band 802.11ac gigabit router released in 2014, identified via CPE cpe:2.3:a:netgear:jr6150:*:*:*:*:*:*:*:*. The root cause is CWE-20 (Improper Input Validation): user-supplied input passed to a router management or configuration function is not sanitized before being processed by the underlying operating system, enabling classic OS command injection. This class of vulnerability typically arises in embedded Linux-based router firmware where web interface parameters or CLI inputs are forwarded directly to shell commands (e.g., via system() or popen() calls) without escaping or allowlist validation. The vulnerability was discovered through firmware emulation in a controlled research environment and has not been independently confirmed on production hardware, a limitation explicitly captured in the CVSS 4.0 Exploit Maturity modifier (E:U, Unreported) and Report Confidence modifier (RE:L, Low).

RemediationAI

No vendor-released patch is available and none is planned, as the NETGEAR JR6150 reached End-of-Support in 2018. NETGEAR officially recommends replacing the device with a currently supported NETGEAR model as the only permanent resolution. For operators unable to replace immediately, compensating controls should include restricting WiFi association to trusted devices using WPA3 with strong credentials and, where supported, client isolation to prevent user-to-router management plane access - reducing the population of users who can reach the vulnerable interface. Placing the router behind a network access control layer or on an isolated VLAN limits the blast radius if exploited. Disabling any WAN-side or remote management interfaces removes internet-facing exposure, though the vulnerability appears limited to local/adjacent access regardless. Note that none of these controls eliminate the vulnerability; MAC address filtering in particular can be bypassed trivially by a motivated local attacker. Device replacement remains the only durable fix. Refer to https://www.netgear.com/support/product/jr6150 for replacement guidance.

Share

CVE-2026-0419 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy