Skip to main content

NetComm NF20MESH EUVDEUVD-2026-38453

| CVE-2026-35019 CRITICAL
Use of Hard-coded Cryptographic Key (CWE-321)
2026-06-23 VulnCheck GHSA-pqh9-6ffr-v5fc
9.2
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

AV:N for network-accessible management interface; AC:H reflects the specific prerequisite of an active admin session (maps to AT:P in CVSS 4.0); PR:N as attacker requires no credentials; full C/I/A impact on the router.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 23, 2026 - 15:04 vuln.today

DescriptionCVE.org

NetComm NF20MESH routers running firmware R6B031 and earlier contain an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by exploiting a hardcoded AES-256 key used to encrypt session cookies for the web management interface. Attackers can forge a valid encrypted session cookie using the shared hardcoded key and bypass authentication checks to obtain full administrative control of the management interface while any legitimate administrator session is active.

AnalysisAI

Authentication bypass in NetComm NF20MESH routers (firmware R6B031 and earlier) allows unauthenticated remote attackers to forge valid encrypted session cookies using a hardcoded AES-256 key embedded in the firmware, granting full administrative control of the web management interface. The root cause is CWE-321 (Use of Hard-coded Cryptographic Key): because the same static AES-256 key is shared across all devices, any attacker who extracts it from firmware can impersonate any session. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Extract hardcoded AES-256 key from firmware image
Delivery
Identify reachable NF20MESH management interface
Exploit
Confirm active administrator session exists
Execution
Forge valid AES-256-encrypted session cookie
Persist
Submit forged cookie to web management interface
Impact
Obtain full unauthenticated administrative control

Vulnerability AssessmentAI

Exploitation Two conditions must be simultaneously true for exploitation to succeed: (1) the target NF20MESH device must be running firmware R6B031 or earlier - R6B032 and later are patched; and (2) a legitimate administrator must have an active authenticated session on the web management interface at the moment the forged cookie is submitted, as reflected by the AT:P metric in the CVSS 4.0 vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 9.2 accurately reflects the severity of the impact (full VC:H/VI:H/VA:H - complete compromise of the router) but must be interpreted alongside the AT:P (Attack Requirements: Present) modifier, which the description confirms as a hard prerequisite: an active administrator session must exist at the time of attack. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has extracted the hardcoded AES-256 key from a publicly available NF20MESH firmware image monitors or waits for a period when a legitimate administrator is logged into the web management interface. The attacker constructs a syntactically valid session cookie encrypted with the known static key and submits it in a direct HTTP request to the management interface, which validates the encryption and grants full administrative access without prompting for credentials. …
Remediation The primary fix is upgrading to NetComm NF20MESH firmware R6B032 or later, available from the NetComm Wireless support portal at https://support.netcommwireless.com/products/nf20mesh#Firmware; the release notes confirming the fix are published at the vendor's firmware distribution endpoint. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify and inventory all NetComm NF20MESH routers running firmware R6B031 or earlier in your network environment. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38453 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy