Severity by source
CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:D/RE:L/U:Amber
Primary rating from Vendor (NETGEAR) · only source for this CVE.
CVSS VectorVendor: NETGEAR
CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:D/RE:L/U:Amber
Lifecycle Timeline
3DescriptionCVE.org
Authenticated administrators connected to the local network can gain elevated access to the router and make unauthorized changes to router software and functionality.
AnalysisAI
Integrity controls on multiple NETGEAR router firmware lines can be subverted by authenticated administrators on the local network through improper input validation (CWE-20), enabling privilege escalation beyond the intended administrative authorization boundary and permitting unauthorized modifications to router software and functionality. Twenty distinct NETGEAR SKUs across the R7000, RAX, RAXE, and XR1000 series are confirmed affected per ENISA EUVD-2026-35452, each with specific patched firmware thresholds now released by the vendor. No public exploit exists at time of analysis (CVSS E:U), and multiple CVSS constraints - adjacent-only attack vector, high complexity, and high privilege requirement - substantially limit the realistic threat population.
Technical ContextAI
The root cause is CWE-20 (Improper Input Validation) within the router's firmware administrative logic. Despite being tagged 'Authentication Bypass,' the CVSS 4.0 vector specifies PR:H (high privileges required), indicating this is more precisely a post-authentication privilege escalation - an already-authenticated administrator can craft inputs that circumvent authorization checks and gain access exceeding their intended scope, rather than bypassing the login mechanism entirely. The adjacent attack vector (AV:A) constrains exploitation to the same LAN or WLAN segment as the device. Affected CPEs confirmed by the vendor span ten distinct product lines in NVD: cpe:2.3:a:netgear:r7000, rax20, rax35v2, rax41, rax41v2, rax42, rax42v2, rax43, rax43v2, and rax45, with EUVD extending that list to include RAX49S, RAX50, RAX50S, RAX50v2, RAX54v2, RAX54Sv2, RAXE450, RAXE500, XR1000, and XR1000v2 - all consumer and prosumer Wi-Fi routers running NETGEAR's proprietary firmware stack.
RemediationAI
The primary remediation is a firmware update to the patched versions released by NETGEAR. Per EUVD-2026-35452, the following minimum firmware versions resolve this issue: R7000 → V1.0.11.216, RAX20 → V1.0.18.144, RAX35v2/RAX41/RAX42/RAX43/RAX45/RAX50/RAX50S → V1.0.16.132, RAX41v2/RAX42v2/RAX43v2/RAX49S/RAX50v2/RAX54v2/RAX54Sv2 → V1.1.4.28, RAXE450/RAXE500 → V1.2.14.114, and XR1000/XR1000v2 → V1.1.0.22. Firmware downloads are available from the respective NETGEAR product support pages linked in the references above. As compensating controls pending patching, enforce least-privilege admin access by ensuring only strictly necessary personnel hold router administrator credentials and rotate any shared credentials immediately - this directly reduces the threat population given that PR:H is a hard prerequisite. Additionally, ensure the router admin interface is not bridged to untrusted network segments, since AV:A means all exploitation must originate from the adjacent network; network segmentation that isolates the management plane limits lateral escalation risk. Note that these controls reduce attack surface but do not eliminate the underlying vulnerability.
Insufficient input validation across 30+ NETGEAR router, range extender, and mesh networking models enables local networ
Integrity tampering in NETGEAR router and mesh network firmware allows authenticated administrators on the local network
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35452
GHSA-r224-q75m-hjpj