Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (NETGEAR) · only source for this CVE.
CVSS VectorVendor: NETGEAR
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Insufficient input validation vulnerability in the listed NETGEAR models allows authenticated administrators connected to the local network to make unauthorized modification of router software and functionality.
AnalysisAI
Insufficient input validation across multiple NETGEAR Orbi mesh router models (RBR/RBS/RBE series) permits authenticated administrators on the local network to make unauthorized modifications to router software and functionality beyond their intended privilege scope. Affected are all firmware versions prior to V7.2.8.5 on most Orbi models and prior to V9.12.4.9 on the RBE97x series. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; NETGEAR self-reported and has released patched firmware addressing the flaw.
Technical ContextAI
The affected devices are NETGEAR's Orbi mesh networking product line, spanning satellite (RBS), router (RBR), and enterprise/business-grade (RBE) models including the RBR750, RBR840, RBR850, RBR860, RBRE950, RBRE960, RBE97x, RBS750, RBS840, RBS850, and associated RBSE variants. The root cause is CWE-20 (Improper Input Validation) - the firmware's administrative interface fails to sufficiently validate or constrain inputs supplied by authenticated administrator sessions, allowing inputs that should be rejected to reach sensitive software modification pathways. The CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:H/UI:N) confirms the attack surface is the adjacent local network (LAN/Wi-Fi), that no special attack preconditions beyond admin credentials are required, and that no user interaction is needed once authenticated. Despite being tagged 'Authentication Bypass,' the vector PR:H indicates the bypass is one of authorization scope rather than authentication itself - a legitimately authenticated admin can exceed the bounds of permitted operations.
RemediationAI
The primary remediation is to upgrade firmware to the patched versions released by NETGEAR: V7.2.8.5 or later for RBR750, RBR840, RBR850, RBR860, RBRE950, RBRE960, RBS750, RBS840, RBS850, RBS860, RBSE950, and RBSE960; and V9.12.4.9 or later for the RBE97x series. Firmware updates can be applied via the Orbi web administration interface or the Orbi mobile app. NETGEAR product-specific advisory and firmware download pages include: https://www.netgear.com/support/product/rbr850/, https://www.netgear.com/support/product/rbr750/, https://www.netgear.com/support/product/rbr860/, https://www.netgear.com/support/product/rbs850/, https://www.netgear.com/support/product/rbs750/, https://www.netgear.com/support/product/rbs840/, https://www.netgear.com/support/product/rbr840/, https://www.netgear.com/support/product/rbre950/, https://www.netgear.com/support/product/rbre960/, and https://www.netgear.com/support/product/rbe970/. As a compensating control prior to patching, administrators should rotate all Orbi admin credentials and enforce unique, complex passwords to reduce the risk of credential compromise that would enable exploitation. Restricting physical and Wi-Fi access to the local network segment hosting the Orbi routers limits adjacent-network exposure but does not eliminate risk from insider threats.
Code injection in NETGEAR RBE97x routers (firmware prior to V9.12.4.9) enables authenticated administrators on the local
Information disclosure in NETGEAR Orbi satellite devices (RBR350, RBR760, RBS350, RBS760, RBE97x) allows a low-privilege
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35464
GHSA-q37p-q3j4-w7g6