CVE-2026-0404

moderate-risk

Published 2026-01-13

An insufficient input validation vulnerability in NETGEAR Orbi devices' DHCPv6 functionality allows network adjacent attackers authenticated over WiFi or on LAN to execute OS command injections on the router. DHCPv6 is not enabled by default.

Do I need to act?

0.15% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.0/10 High

ADJACENT_NETWORK / LOW complexity

Affected Products (12)

Rbr750 Firmware

Rbr840 Firmware

Rbr850 Firmware

Rbr860 Firmware

Rbs750 Firmware

Rbs840 Firmware

Rbs850 Firmware

Rbs860 Firmware

Rbre950 Firmware

Rbre960 Firmware

Rbse950 Firmware

Rbse960 Firmware

Affected Vendors

Netgear

References (13)

Patch https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory

Patch https://www.netgear.com/support/product/rbr750

Patch https://www.netgear.com/support/product/rbr840

Patch https://www.netgear.com/support/product/rbr850

Patch https://www.netgear.com/support/product/rbr860

Patch https://www.netgear.com/support/product/rbre950

Patch https://www.netgear.com/support/product/rbre960

Patch https://www.netgear.com/support/product/rbs750

Patch https://www.netgear.com/support/product/rbs840

Patch https://www.netgear.com/support/product/rbs850

Patch https://www.netgear.com/support/product/rbs860

Patch https://www.netgear.com/support/product/rbse950

Patch https://www.netgear.com/support/product/rbse960

/ 100

moderate-risk

Severity 25/34 · High

Exploitability 1/34 · Minimal

Exposure 17/34 · Moderate