21
CVEs
0
Critical
3
High
0
KEV
2
PoC
3
Unpatched C/H
71.4%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
0
HIGH
3
MEDIUM
18
LOW
0
Monthly CVE Trend
Affected Products (30)
Rbr850 Firmware
148
Rbs850 Firmware
146
Rbk852 Firmware
142
Rbr750 Firmware
128
Rbs750 Firmware
127
Rbk752 Firmware
120
R7000P Firmware
98
R9000 Firmware
93
R7800 Firmware
92
R8900 Firmware
90
D7800 Firmware
84
Xr500 Firmware
83
Xr700 Firmware
71
Rbk50 Firmware
70
R7000 Firmware
70
Rbr50 Firmware
69
Rax120 Firmware
69
Rbs50 Firmware
68
Rax80 Firmware
60
R8000 Firmware
59
Rax75 Firmware
57
Rbr20 Firmware
57
Rbs20 Firmware
56
R6900P Firmware
55
Rbk40 Firmware
55
Rbs40 Firmware
53
R6700 Firmware
53
Rbr40 Firmware
52
Rbk20 Firmware
51
Xr300 Firmware
51
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2022-40619 | FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, exposes an HTTP server over the LAN interface of affected devices. This interface is vulnerable to unauthenticated arbitrary command injection through the funjsq_access_token parameter. [CVSS 7.7 HIGH] | HIGH | 7.7 | 0.8% | 59 |
PoC
No patch
|
| CVE-2022-40620 | FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, does not properly validate TLS certificates when downloading update packages through its auto-update mechanism. [CVSS 7.7 HIGH] | HIGH | 7.7 | 0.1% | 59 |
PoC
No patch
|
| CVE-2026-24714 | End-of-service Netgear devices with TelnetEnable functionality can have telnet service remotely activated via specially crafted magic packets, enabling unauthenticated remote access to the device. An attacker on the network can exploit this to gain command-line access without credentials, potentially leading to device compromise and lateral movement. No patch is available for affected products. | HIGH | 7.5 | 0.1% | 38 |
No patch
|
| CVE-2026-9213 | Remote code execution affects NETGEAR gaming routers (XR1000, MR70, MS70, RAXE500) when an attacker holds an on-path man-in-the-middle position between the device and the internet. The CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:N/UI:N) confirms no privileges are needed on the target device but requires both high attack complexity and a specific network prerequisite - the ability to intercept and tamper with upstream traffic. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog. | MEDIUM | 6.9 | 0.2% | 35 |
|
| CVE-2026-15757 | A security flaw was discovered in the NETGEAR DGND3700v1 that could allow someone on the same local WiFi network to send unauthorized commands to the | MEDIUM | 6.3 | 0.2% | 32 |
No patch
|
| CVE-2026-62655 | Stack-based buffer overflow in multiple NETGEAR Orbi mesh WiFi models (RBR860, RBRE950/960, RBE970/971, RBS860, RBSE950/960) enables an unauthenticated adjacent-network attacker to crash or force a restart of the affected device, causing a loss of network connectivity. The root cause is CWE-121 (stack-based buffer overflow), meaning a crafted network payload can overwrite stack memory and destabilize the device process. The CVSS 4.0 supplemental metric E:P indicates a proof-of-concept exploit exists, elevating practical risk despite the moderate base score of 5.7. | MEDIUM | 5.7 | 0.2% | 29 |
|
| CVE-2026-9212 | Insufficient authentication (CWE-306) and input validation weaknesses across more than 25 NETGEAR router and mesh system models allow an adjacent-network attacker with low-level privileges to execute arbitrary commands and read sensitive configuration data, or alter certain device settings. The CVSS 4.0 vector confirms the attack is limited to adjacent network segments (AV:A) and requires low privileges (PR:L), with high confidentiality impact on both the vulnerable component and subsequent systems (VC:H, SC:H). No public exploit has been identified at time of analysis, and NETGEAR has self-reported the issue with patches available for all listed product lines. | MEDIUM | 5.6 | 0.1% | 28 |
|
| CVE-2026-62656 | A security flaw was found in certain NETGEAR RAX models that could allow a logged-in user to send specially crafted requests to the router and run una | MEDIUM | 5.4 | 0.2% | 27 |
|
| CVE-2026-62657 | A security flaw in the router's certificate validation process was discovered in the NETGEAR XR1000 Gaming Router and certain Nighthawk models that co | MEDIUM | 4.9 | 0.1% | 25 |
|
| CVE-2026-9210 | Insufficient input validation across 30+ NETGEAR router, range extender, and mesh networking models enables local network-adjacent modification of router software and functionality. The CVSS 4.0 vector assigns PR:N (no privileges required) and AV:A (adjacent network), yet the CVE description scopes the vulnerability to 'authenticated administrators' - the 'Authentication Bypass' tag supplied by NETGEAR suggests the input validation flaw may itself circumvent authentication controls, reconciling this apparent conflict. Integrity impact is rated High (VI:H) against the vulnerable system, meaning successful exploitation allows unauthorized firmware or configuration modification. No public exploit is identified at time of analysis (E:U), and this CVE is not listed in the CISA KEV catalog. | MEDIUM | 4.9 | 0.1% | 25 |
|
| CVE-2026-0409 | Remote command execution in NETGEAR Orbi 370 series routers (firmware before V12.1.2.7) is achievable by a network-positioned adversary who can intercept and tamper with traffic between the device and the internet. Exploitation requires the device administrator to perform specific management actions while the attacker holds a man-in-the-middle position, at which point a buffer overflow (CWE-119) is triggered allowing arbitrary command execution on the device. No public exploit exists at time of analysis and the vendor has released a patching firmware (V12.1.2.7); no KEV listing has been issued by CISA. | MEDIUM | 4.8 | 0.1% | 24 |
|
| CVE-2026-62658 | Post-authentication command execution in NETGEAR Nighthawk RAX-series routers (RAX43, RAX45, RAX50, RAX54S, RAX54Sv2) permits an attacker already holding administrative credentials and adjacent network access to run unauthorized OS-level commands or code on the device. Rooted in CWE-20 (Improper Input Validation), the flaw bypasses authorization controls within the authenticated management session, yielding high integrity impact on the vulnerable system. No public exploit identified at time of analysis, though the CVSS 4.0 supplemental metric E:P indicates proof-of-concept code exists; a vendor-released patch is available from NETGEAR. | MEDIUM | 4.7 | 0.2% | 24 |
|
| CVE-2026-0420 | TLS certificate validation failure in the ReadyCloud client app on multiple NETGEAR router models exposes confidential data to network interception. The app does not properly validate TLS certificates (CWE-325), enabling a network-positioned attacker to perform man-in-the-middle (MiTM) attacks against ReadyCloud communications. Affected models include the RAX35, RAX38, RAX40, RAX120v1, and RAX120v2 running firmware below the patched versions; no public exploit code exists and no active exploitation has been confirmed. | MEDIUM | 4.6 | 0.0% | 23 |
|
| CVE-2026-0419 | OS command injection in NETGEAR JR6150 firmware (all versions ≤ 1.0.1.26) allows locally authenticated or WiFi-connected users to execute arbitrary operating system commands via insufficient input validation (CWE-20). The device reached End-of-Support in 2018 and NETGEAR will not release a patch, leaving all deployments permanently unmitigated. No public exploit code exists and active exploitation has not been confirmed (not listed in CISA KEV), but the perpetual absence of patching makes device replacement the only durable remediation. | MEDIUM | 4.4 | 0.1% | 22 |
No patch
|
| CVE-2026-62659 | A security flaw was discovered in the NETGEAR WAX333 Access Point that could allow someone already logged in and connected to the local network to mak | MEDIUM | 4.3 | 0.2% | 22 |
|