Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (NETGEAR) · only source for this CVE.
CVSS VectorVendor: NETGEAR
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Insufficient authentication and input validation in the listed NETGEAR models allow users connected to the local network to execute commands impacting product's confidentiality or change certain configurations.
AnalysisAI
Insufficient authentication (CWE-306) and input validation weaknesses across more than 25 NETGEAR router and mesh system models allow an adjacent-network attacker with low-level privileges to execute arbitrary commands and read sensitive configuration data, or alter certain device settings. The CVSS 4.0 vector confirms the attack is limited to adjacent network segments (AV:A) and requires low privileges (PR:L), with high confidentiality impact on both the vulnerable component and subsequent systems (VC:H, SC:H). No public exploit has been identified at time of analysis, and NETGEAR has self-reported the issue with patches available for all listed product lines.
Technical ContextAI
CWE-306 (Missing Authentication for Critical Function) describes the root cause: certain management or command-execution endpoints on the affected NETGEAR firmware fail to enforce authentication before processing requests, meaning a low-privileged local network user can invoke privileged operations. The secondary weakness - input validation failure - enables injection of crafted input that the device's command processing layer executes without sanitization. Affected CPEs span a broad portfolio: consumer routers (cpe:2.3:a:netgear:r6700ax, r7800, r9000), RAX-series Wi-Fi 6 routers (rax10, rax10v2, rax120, rax120v1, rax120v2), and LBR-series cable/mesh models (lbr1020, lbr20). The CVSS 4.0 adjacent-network attack vector (AV:A) indicates exploitation requires Layer-2 or same-broadcast-domain proximity, consistent with home or small-office LAN segments where these products are commonly deployed. The SC:H (high subsequent system confidentiality) signal suggests downstream systems - such as devices behind the router whose traffic or credentials might be intercepted - are also at elevated risk.
RemediationAI
Patch available per vendor advisory - upgrade each affected model to the minimum fixed firmware version listed by NETGEAR: RBR/RBS350 to V4.4.2.1 or later, XR450/XR500 to V2.3.3.136 or later, Orbi RBR/RBS 10/20/40/50 series to V2.7.6.6 or later (note: EUVD lists these as vulnerable at exactly 2.7.6.6, so verify the specific fixed release with NETGEAR's support page), RAX70/RAX78 to V1.0.19.172 or later, RAX120 family to V1.2.10.56 or later, RAX10/RAX36S to V1.0.5.50 or later, R7800 to V1.0.4.96 or later, R9000 to V1.0.6.46 or later, LBR1020 to V2.6.4.60 or later, LBR20 to V2.7.6.8 or later, R6700AX to a version above V1.0.20.174. Firmware updates are available from the respective NETGEAR support pages referenced in the CVE (e.g., https://www.netgear.com/support/product/rax120/). If immediate patching is not possible, restrict LAN access to router management interfaces by disabling remote management, segmenting untrusted devices onto a separate VLAN or guest network (trade-off: adds network complexity), and limiting which hosts can reach the router's management IP via firewall rules or access control lists. These compensating controls reduce but do not eliminate risk, as the attack vector is adjacent network, not WAN.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35466
GHSA-wq28-w638-7xcv