CVE-2026-0404

Summary

An insufficient input validation vulnerability in NETGEAR Orbi devices' DHCPv6 functionality allows network adjacent attackers authenticated over WiFi or on LAN to execute OS command injections on the router. DHCPv6 is not enabled by default.

Affected Software

VendorProductVersion RangeStatus
NETGEARRBRE9600 < v7.2.8.5affected
NETGEARRBSE9600 < v7.2.8.5affected
NETGEARRBR8500 < v7.2.8.5affected
NETGEARRBS8500 < v7.2.8.5affected
NETGEARRBR8600 < v7.2.8.5affected
NETGEARRBS8600 < v7.2.8.5affected
NETGEARRBRE9500 < v7.2.8.5affected
NETGEARRBSE9500 < v7.2.8.5affected
NETGEARRBR7500 < v7.2.8.5affected
NETGEARRBS7500 < v7.2.8.5affected
NETGEARRBR8400 < v7.2.8.5affected
NETGEARRBS8400 < v7.2.8.5affected

Weaknesses

  • CWE-20: CWE-20 Improper Input Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References