CVE-2026-0404
4.8
CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber
Summary
An insufficient input validation vulnerability in NETGEAR Orbi devices' DHCPv6 functionality allows network adjacent attackers authenticated over WiFi or on LAN to execute OS command injections on the router. DHCPv6 is not enabled by default.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| NETGEAR | RBRE960 | 0 < v7.2.8.5 | affected |
| NETGEAR | RBSE960 | 0 < v7.2.8.5 | affected |
| NETGEAR | RBR850 | 0 < v7.2.8.5 | affected |
| NETGEAR | RBS850 | 0 < v7.2.8.5 | affected |
| NETGEAR | RBR860 | 0 < v7.2.8.5 | affected |
| NETGEAR | RBS860 | 0 < v7.2.8.5 | affected |
| NETGEAR | RBRE950 | 0 < v7.2.8.5 | affected |
| NETGEAR | RBSE950 | 0 < v7.2.8.5 | affected |
| NETGEAR | RBR750 | 0 < v7.2.8.5 | affected |
| NETGEAR | RBS750 | 0 < v7.2.8.5 | affected |
| NETGEAR | RBR840 | 0 < v7.2.8.5 | affected |
| NETGEAR | RBS840 | 0 < v7.2.8.5 | affected |
Weaknesses
- CWE-20: CWE-20 Improper Input Validation
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://www.netgear.com/support/product/rbre960
- https://www.netgear.com/support/product/rbse960
- https://www.netgear.com/support/product/rbr850
- https://www.netgear.com/support/product/rbs850
- https://www.netgear.com/support/product/rbr860
- https://www.netgear.com/support/product/rbs860
- https://www.netgear.com/support/product/rbre950
- https://www.netgear.com/support/product/rbse950
- https://www.netgear.com/support/product/rbr750
- https://www.netgear.com/support/product/rbs750
- https://www.netgear.com/support/product/rbr840
- https://www.netgear.com/support/product/rbs840
- https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.