Severity by source
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:D/RE:L/U:Amber
Primary rating from Vendor (NETGEAR) · only source for this CVE.
CVSS VectorVendor: NETGEAR
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:D/RE:L/U:Amber
Lifecycle Timeline
3DescriptionCVE.org
An unauthenticated user on the local network can gain control of the router and make unauthorized changes to its operation.
AnalysisAI
Unauthenticated local-network control of NETGEAR CAX30, RAX30, RAX5, and RAXE300 routers is possible through an authentication bypass rooted in improper input validation (CWE-20). An attacker already present on the local network segment - such as a guest Wi-Fi user, a compromised IoT device, or a rogue actor on the same LAN - can circumvent authentication and gain full administrative control, enabling arbitrary configuration changes, traffic interception, or persistent backdoor installation. No public exploit code has been identified at time of analysis, and NETGEAR has released firmware patches for all four affected product lines.
Technical ContextAI
The vulnerability affects four NETGEAR consumer/prosumer routers - CAX30, RAX30, RAX5, and RAXE300 - identified via CPE strings cpe:2.3:a:netgear:cax30, cpe:2.3:a:netgear:rax30, cpe:2.3:a:netgear:rax5, and cpe:2.3:a:netgear:raxe300. The root cause is CWE-20 (Improper Input Validation), tagged as an Authentication Bypass, meaning the router's management interface fails to properly validate or enforce authentication checks on certain inputs or request paths. This class of flaw typically manifests as missing or bypassable token/session checks, malformed request handling that skips auth gates, or logic flaws where crafted input causes the firmware to treat an unauthenticated request as authorized. The CVSS 4.0 vector confirms no privileges are required (PR:N) and no user interaction is needed (UI:N), but the Attack Requirements metric is set to Present (AT:P), indicating some precondition - such as a specific router state, a particular firmware code path being reachable, or a timing/race condition - must be met for exploitation to succeed.
RemediationAI
The primary remediation is to upgrade to the patched firmware versions released by NETGEAR: RAX5 to V1.0.5.34 or later, CAX30 to V2.2.1.4 or later, RAX30 to V1.0.10.94 or later, and RAXE300 to V1.0.10.72 or later. Firmware can be downloaded and applied via each product's support page (links above). If immediate patching is not possible, restrict access to the router's management interface by disabling remote management and ensuring that only trusted devices are on the LAN segment; this does not eliminate the risk since AV:A includes local network access, but raises the barrier. Isolating untrusted devices (IoT, guest users) onto a separate VLAN or SSID that has no layer-2 visibility to the router's management plane is an effective compensating control - note this may require a managed switch and is not natively available on all NETGEAR home router configurations. Do not rely on WPA2/WPA3 passwords alone as a compensating control, since any authenticated Wi-Fi client on the same segment could be the attacker. Recovery is rated Low effort (RE:L) per CVSS, meaning restoring router settings after an attack is straightforward, but does not address persistence mechanisms an attacker may have installed prior to detection.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35458
GHSA-grpw-fvf6-9688