CVE-2022-40619

CVE-2022-40619 is an unauthenticated arbitrary command injection vulnerability (CWE-77) in the FunJSQ third-party module, which is integrated into certain NETGEAR routers and Orbi WiFi Systems. The module exposes an HTTP server over the LAN interface of affected devices, allowing injection through the funjsq_access_token parameter. Vulnerable models include R6230 before firmware 1.1.0.112, R6260 before 1.1.0.88, R7000 before 1.0.11.134, R8900 before 1.0.5.42, R9000 before 1.0.5.42, XR300 before 1.0.3.72, and Orbi RBR20 before 2.7.2.26, RBR50 before 2.7.4.26, RBS20 before 2.7.2.26, and RBS50 before 2.7.4.26. The vulnerability carries a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L).

An attacker on the local network with access to the LAN interface can exploit this issue without authentication by sending crafted HTTP requests to the vulnerable FunJSQ HTTP server, injecting arbitrary commands via the funjsq_access_token parameter. Successful exploitation enables command execution on the device, potentially compromising confidentiality and integrity to a high degree, with low impact on availability.

NETGEAR's security advisory PSV-2022-0117 addresses vulnerabilities in FunJSQ on the affected routers and Orbi systems, recommending firmware updates to the versions that remediate the issue, such as 1.1.0.112 for R6230. Additional details are provided in advisories from NETGEAR (https://kb.netgear.com/000065132/Security-Advisory-for-Vulnerabilities-in-FunJSQ-on-Some-Routers-and-Orbi-WiFi-Systems-PSV-2022-0117) and OneKey (https://www.onekey.com/resource/security-advisory-netgear-routers-funjsq-vulnerabilities).