Detections
Analytics

CVE-2026-0404

high

Description

An insufficient input validation vulnerability in NETGEAR Orbi devices' DHCPv6 functionality allows network adjacent attackers authenticated over WiFi or on LAN to execute OS command injections on the router. DHCPv6 is not enabled by default.

References

https://www.netgear.com/support/product/rbse960

https://www.netgear.com/support/product/rbse950

https://www.netgear.com/support/product/rbs860

https://www.netgear.com/support/product/rbs850

https://www.netgear.com/support/product/rbs840

https://www.netgear.com/support/product/rbs750

https://www.netgear.com/support/product/rbre960

https://www.netgear.com/support/product/rbre950

https://www.netgear.com/support/product/rbr860

https://www.netgear.com/support/product/rbr850

https://www.netgear.com/support/product/rbr840

https://www.netgear.com/support/product/rbr750

https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory

Details

Source: Mitre, NVD

Published: 2026-01-13

Updated: 2026-02-12

Risk Information

CVSS v2

Base Score: 7.7

Vector: CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8

Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

CVSS v4

Base Score: 7.5

Vector: CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.00505