CVE-2022-40619
Published: 28 January 2026
Summary
CVE-2022-40619 is a high-severity Command Injection (CWE-77) vulnerability in Netgear Rbr20 Firmware. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2022-40619 is an unauthenticated arbitrary command injection vulnerability (CWE-77) in the FunJSQ third-party module, which is integrated into certain NETGEAR routers and Orbi WiFi Systems. The module exposes an HTTP server over the LAN interface of affected devices, allowing injection through the funjsq_access_token parameter. Vulnerable models include R6230 before firmware 1.1.0.112, R6260 before 1.1.0.88, R7000 before 1.0.11.134, R8900 before 1.0.5.42, R9000 before 1.0.5.42, XR300 before 1.0.3.72, and Orbi RBR20 before 2.7.2.26, RBR50 before 2.7.4.26, RBS20 before 2.7.2.26, and RBS50 before 2.7.4.26. The vulnerability carries a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L).
An attacker on the local network with access to the LAN interface can exploit this issue without authentication by sending crafted HTTP requests to the vulnerable FunJSQ HTTP server, injecting arbitrary commands via the funjsq_access_token parameter. Successful exploitation enables command execution on the device, potentially compromising confidentiality and integrity to a high degree, with low impact on availability.
NETGEAR's security advisory PSV-2022-0117 addresses vulnerabilities in FunJSQ on the affected routers and Orbi systems, recommending firmware updates to the versions that remediate the issue, such as 1.1.0.112 for R6230. Additional details are provided in advisories from NETGEAR (https://kb.netgear.com/000065132/Security-Advisory-for-Vulnerabilities-in-FunJSQ-on-Some-Routers-and-Orbi-WiFi-Systems-PSV-2022-0117) and OneKey (https://www.onekey.com/resource/security-advisory-netgear-routers-funjsq-vulnerabilities).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-43893
Vulnerability details
FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, exposes an HTTP server over the LAN interface of affected devices. This interface is vulnerable to unauthenticated arbitrary command injection through the funjsq_access_token parameter. This affects R6230…
more
before 1.1.0.112, R6260 before 1.1.0.88, R7000 before 1.0.11.134, R8900 before 1.0.5.42, R9000 before 1.0.5.42, and XR300 before 1.0.3.72 and Orbi RBR20 before 2.7.2.26, RBR50 before 2.7.4.26, RBS20 before 2.7.2.26, and RBS50 before 2.7.4.26.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated command injection over HTTP directly enables exploitation of the exposed service (T1190) and arbitrary Unix shell command execution (T1059.004) on the router.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents command injection by validating inputs to the funjsq_access_token parameter in the FunJSQ HTTP server.
Requires timely firmware updates to remediate the specific command injection flaw in the FunJSQ module as advised by NETGEAR.
Limits or prohibits unauthenticated actions like command injection over the exposed LAN HTTP interface.