Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (NETGEAR) · only source for this CVE.
CVSS VectorVendor: NETGEAR
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability in the affected NETGEAR gaming routers allows attackers with the ability to intercept and tamper traffic between the router and the Internet, to execute code on the device.
AnalysisAI
Remote code execution affects NETGEAR gaming routers (XR1000, MR70, MS70, RAXE500) when an attacker holds an on-path man-in-the-middle position between the device and the internet. The CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:N/UI:N) confirms no privileges are needed on the target device but requires both high attack complexity and a specific network prerequisite - the ability to intercept and tamper with upstream traffic. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
The root cause is CWE-20 (Improper Input Validation), meaning the router firmware processes data received from the internet without adequate validation, allowing attacker-controlled content to influence execution flow. The CVSS 4.0 'Attack Requirements: Present' (AT:P) metric formally captures the prerequisite of an on-path network position, distinguishing this from straightforward remote exploitation. Affected products confirmed via CPE strings are: cpe:2.3:a:netgear:xr1000, cpe:2.3:a:netgear:mr70, cpe:2.3:a:netgear:ms70, and cpe:2.3:a:netgear:raxe500 - all consumer/gaming-class routers in NETGEAR's lineup. The CVSS confidentiality (VC:H) and integrity (VI:H) impacts, combined with the 'Information Disclosure' tag, suggest the vulnerability may expose sensitive router data in addition to enabling code execution, though the exact vulnerable service or protocol is not identified in available data.
RemediationAI
The primary fix is to update router firmware immediately to the patched versions confirmed by NETGEAR and ENISA EUVD-2026-35455: XR1000 to V1.0.2.86 or later, MR70 to V1.0.4.48 or later, MS70 to V1.0.4.48 or later, and RAXE500 to V1.2.14.114 or later. Firmware updates can be applied via the router's admin interface or NETGEAR's support pages at the product-specific URLs listed in the references. If immediate patching is not possible, a compensating control is to ensure the router's WAN-facing communications are limited to trusted update endpoints using firewall ACLs on upstream infrastructure, reducing the surface for traffic tampering - note this may interfere with legitimate router cloud features. Enabling HTTPS-only communications and verifying certificate pinning behavior in the router's update mechanism (if configurable) may reduce MitM feasibility, though this is not confirmed as effective against this specific flaw. The side effect of restricting WAN traffic is potential loss of NETGEAR cloud services, dynamic DNS, or remote management functionality.
A security flaw in the router's certificate validation process was discovered in the NETGEAR XR1000 Gaming Router and ce
Insufficient input validation across 30+ NETGEAR router, range extender, and mesh networking models enables local networ
Integrity tampering in NETGEAR router and mesh network firmware allows authenticated administrators on the local network
System integrity tampering across a broad portfolio of NETGEAR home and small-business networking devices allows authent
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35455
GHSA-jx2q-67wh-xh52