CVE-2026-0404
Insufficient input validation in NETGEAR Orbi routers
An insufficient input validation vulnerability in NETGEAR Orbi devices'
DHCPv6 functionality allows network adjacent attackers authenticated
over WiFi or on LAN to execute OS command injections on the router.
DHCPv6 is not enabled by default.
CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber
Affected products
NETGEAR · RBR750NETGEAR · RBR840NETGEAR · RBR850NETGEAR · RBR860NETGEAR · RBRE950NETGEAR · RBRE960NETGEAR · RBS750NETGEAR · RBS840NETGEAR · RBS850NETGEAR · RBS860NETGEAR · RBSE950NETGEAR · RBSE960Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisoryhttps://www.netgear.com/support/product/rbr750https://www.netgear.com/support/product/rbr840https://www.netgear.com/support/product/rbr850https://www.netgear.com/support/product/rbr860https://www.netgear.com/support/product/rbre950https://www.netgear.com/support/product/rbre960https://www.netgear.com/support/product/rbs750https://www.netgear.com/support/product/rbs840https://www.netgear.com/support/product/rbs850https://www.netgear.com/support/product/rbs860https://www.netgear.com/support/product/rbse950