What is CVE-2026-0404?

An insufficient input validation vulnerability in NETGEAR Orbi devices allows authenticated network adjacent attackers to execute OS command injections. Organizations should prioritize patching this vulnerability to mitigate associated risks.

What is the severity of CVE-2026-0404?

CVE-2026-0404 has a severity rating of MEDIUM with a CVSS base score of 4.8.

CVE-2026-0404 | Medium Vulnerability in NETGEAR Orbi Devices

CVE-2026-0404 describes a medium-severity vulnerability affecting NETGEAR Orbi devices, specifically their DHCPv6 functionality. This vulnerability allows authenticated network adjacent attackers, either over WiFi or on LAN, to execute OS command injections on the router. The DHCPv6 feature is not enabled by default, which may limit exposure. However, the potential impact of this vulnerability is significant, with an associated CVSS score of 4.8.

The implications of this vulnerability extend to the confidentiality, integrity, and availability of affected devices, all of which are rated high. Organizations utilizing these devices must recognize the risk posed by this vulnerability and the necessity of prompt remediation.

As of now, there are no known exploits for this vulnerability; however, organizations should remain vigilant and prioritize the patching of NETGEAR Orbi devices to protect against potential exploitation.

Organizations should prioritize patching immediately. The publication date of this vulnerability was January 13, 2026, and the last modification occurred on February 12, 2026.

The urgency to address this vulnerability stems from its potential to allow unauthorized command execution, which may lead to further exploitation of network resources.

Effective risk management and timely remediation strategies will help mitigate the risks associated with this vulnerability.

Vulnerability Details

The official description of CVE-2026-0404 states that it involves an insufficient input validation vulnerability in the DHCPv6 functionality of NETGEAR Orbi devices. This allows network adjacent attackers who are authenticated over WiFi or LAN to execute OS command injections on the router. The vulnerability affects several firmware versions of NETGEAR Orbi devices, including rbr750, rbr840, rbr850, rbr860, rbs750, rbs840, rbs850, rbs860, rbre950, rbre960, rbse950, and rbse960.

The CVSS score for this vulnerability is 4.8, indicating a medium severity level. This score is based on factors such as the attack vector (adjacent), attack complexity (low), and the required privileges (low). The vulnerability has a high impact on confidentiality, integrity, and availability.

Technical Analysis

The root cause of CVE-2026-0404 is inadequate input validation within the DHCPv6 functionality of the affected NETGEAR devices. This allows malicious actors to exploit the feature, leading to OS command injections. The attack vector is adjacent, requiring the attacker to be on the same network as the target device. The attack complexity is low, as it does not require advanced skills or resources.

The attacker requires low privileges, which means an authenticated user on the local network can exploit this vulnerability. There is no user interaction required, making it easier for attackers to execute their commands.

The impacts of this vulnerability include high confidentiality, integrity, and availability risks, as unauthorized command execution could lead to further exploitation or compromise of the device.

Risk & Impact Analysis

The real-world risk associated with CVE-2026-0404 is significant, particularly for organizations that rely on NETGEAR Orbi devices for network operations. The ability for authenticated attackers to execute OS commands can lead to unauthorized access and manipulation of device functionalities, which in turn can provide a foothold for further attacks on the network.

Organizations must understand the blast radius potential of this vulnerability—an attacker who gains access to one device may be able to pivot and compromise other devices on the same network. As the CVSS score indicates a medium severity level, organizations should schedule remediation as a priority within their patch management cycles.

Given the lack of confirmed public exploits, the urgency for patching is moderate, yet organizations should not delay in addressing this vulnerability to prevent potential future exploitation.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The affected versions of NETGEAR Orbi devices are as follows: rbr750_firmware, rbr840_firmware, rbr850_firmware, rbr860_firmware, rbs750_firmware, rbs840_firmware, rbs850_firmware, rbs860_firmware, rbre950_firmware, rbre960_firmware, rbse950_firmware, and rbse960_firmware. All versions prior to the vendor patch version 7.2.8.5 are vulnerable.

Mitigation & Remediation

To mitigate this vulnerability, organizations should apply the latest patches provided by NETGEAR. The specific version to upgrade to is 7.2.8.5 or later. In cases where immediate patching is not feasible, organizations should consider implementing network controls to limit access to the affected devices and monitor for any anomalous activities.

Organizations may also conduct a thorough review of their network configurations and implement stricter access controls to reduce exposure to this vulnerability.

For additional guidance, organizations should consult the resources provided in NETGEAR's advisory on this vulnerability and consider investing in continuous penetration testing to identify any similar weaknesses within their network.

Detection Guidance

Organizations should monitor logs for any indicators of compromise related to this vulnerability. Behavioral anomalies in network traffic, particularly from devices authenticated through DHCPv6, should be closely monitored. Additionally, network signatures that correlate with unauthorized command executions should be established to aid in detection.

It is crucial to implement robust logging mechanisms that capture changes in system states and configurations to quickly identify any exploitation attempts.

AppSecure Threat Intelligence Insight

CVE-2026-0404 highlights the ongoing challenges organizations face in securing networked devices. As IoT and network devices become more prevalent, the risk of vulnerabilities that allow for command injection remains a pressing concern. Security teams should take this as a reminder to continuously assess the security posture of their network devices and maintain an updated inventory.

Additionally, organizations can learn from this incident to enhance their input validation practices, ensuring that similar vulnerabilities do not arise in future deployments. Implementing a comprehensive vulnerability management program can help in identifying and addressing such vulnerabilities proactively.

Finally, organizations should consider leveraging penetration testing methodologies to ensure their defenses are robust against potential exploit scenarios.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-0404: Medium Vulnerability in NETGEAR Orbi Devices