CVE-2025-12940

Summary

Login credentials are inadvertently recorded in logs if a Syslog Server is configured in NETGEAR WAX610 and WAX610Y (AX1800 Dual Band PoE Multi-Gig Insight Managed WiFi 6 Access Points). An user having access to the syslog server can read the logs containing these credentials. 

This issue affects WAX610: before 10.8.11.4; WAX610Y: before 10.8.11.4.

Devices managed with Insight get automatic updates. If not, please check the firmware version and update to the latest.

Fixed in:

WAX610 firmware 11.8.0.10 or later.

WAX610Y firmware 11.8.0.10 or later.

Affected Software

VendorProductVersion RangeStatus
NETGEARWAX6100 < 10.8.11.4affected
NETGEARWAX610Y0 < 10.8.11.4affected

Weaknesses

  • CWE-532: CWE-532 Insertion of Sensitive Information into Log File

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References