Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (NETGEAR) · only source for this CVE.
CVSS VectorVendor: NETGEAR
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
An improper implementation of TLS certificate validation vulnerability found in ReadyCloud client app which can allow an attacker to perform attacker-in-the-middle (MiTM) style attacks impacting product's confidentiality. This vulnerability affects the listed NETGEAR models.
AnalysisAI
TLS certificate validation failure in the ReadyCloud client app on multiple NETGEAR router models exposes confidential data to network interception. The app does not properly validate TLS certificates (CWE-325), enabling a network-positioned attacker to perform man-in-the-middle (MiTM) attacks against ReadyCloud communications. Affected models include the RAX35, RAX38, RAX40, RAX120v1, and RAX120v2 running firmware below the patched versions; no public exploit code exists and no active exploitation has been confirmed.
Technical ContextAI
CWE-325 (Missing Required Cryptographic Step) describes a failure to perform a mandatory step in a cryptographic protocol - here, the TLS certificate validation chain. When a TLS client skips or improperly implements certificate verification, it cannot distinguish a legitimate server certificate from a forged one presented by an adversary. The ReadyCloud client app, embedded in NETGEAR Nighthawk-series routers (CPE: cpe:2.3:a:netgear:rax35, rax38, rax40, rax120v1, rax120v2), communicates with NETGEAR's ReadyCloud remote access service over TLS. The flawed validation means an attacker who can intercept the TCP/TLS session can present an arbitrary certificate and successfully negotiate a session, stripping confidentiality from the channel. The CVSS 4.0 vector confirms a network attack path (AV:N) but notes high complexity (AC:H) and additional prerequisites (AT:P), reflecting that a privileged network position - not just any internet host - is required.
RemediationAI
Upgrade affected router firmware to the patched releases confirmed in EUVD-2026-35467: RAX120v1 and RAX120v2 should be updated to V1.2.9.52 or later; RAX35, RAX38, and RAX40 should be updated to V1.0.6.106 or later. Firmware is available via the NETGEAR support pages at https://www.netgear.com/support/product/rax35/, https://www.netgear.com/support/product/rax38/, https://www.netgear.com/support/product/rax40/, and https://www.netgear.com/support/product/rax120v2/. As a compensating control for devices that cannot be immediately patched, administrators should disable the ReadyCloud remote access feature in the router's admin interface, which eliminates the attack surface entirely at the cost of losing ReadyCloud remote access functionality. Additionally, ensuring that router management and ReadyCloud traffic only traverse trusted network segments reduces the MiTM prerequisite. No workaround substitutes fully for the firmware patch.
Same weakness CWE-325 – Missing Cryptographic Step
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35467
GHSA-vww4-r7gr-9xvq