Cyber Resilience

CVE-2026-0404

Medium

Published: 13 January 2026

Published
13 January 2026
Modified
12 February 2026
KEV Added
Patch
CVSS Score v4 4.8 CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
EPSS Score 0.0011 29.1th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0404 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Netgear Rbr750 Firmware. Its CVSS base score is 4.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 29.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-0404 is an insufficient input validation vulnerability (CWE-20) in the DHCPv6 functionality of NETGEAR Orbi devices, including models RBR750, RBR840, RBR850, and RBR860. Published on January 13, 2026, this flaw enables OS command injection on the router. It carries a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high impact potential when exploited.

Network-adjacent attackers authenticated over WiFi or on the LAN can exploit the vulnerability by targeting the DHCPv6 feature, which is not enabled by default. Successful exploitation allows execution of arbitrary OS commands on the router, potentially leading to full compromise with high confidentiality, integrity, and availability impacts.

NETGEAR's January 2026 Security Advisory provides details on the vulnerability at https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory, with product support pages available for RBR750, RBR840, RBR850, and RBR860 at their respective URLs. Security practitioners should review these resources for recommended patches and mitigation guidance.

EU & UK References

Vulnerability details

An insufficient input validation vulnerability in NETGEAR Orbi devices' DHCPv6 functionality allows network adjacent attackers authenticated over WiFi or on LAN to execute OS command injections on the router. DHCPv6 is not enabled by default.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Vulnerability directly enables remote exploitation of DHCPv6 service for OS command injection, mapping to remote service exploitation and Unix shell command execution on the router.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-0403Same product: Netgear Rbr750
CVE-2026-0406Same vendor: Netgear
CVE-2026-0405Same product: Netgear Rbr750
CVE-2024-12847Same vendor: Netgear
CVE-2024-54804Same vendor: Netgear
CVE-2024-54807Same vendor: Netgear
CVE-2025-28219Same vendor: Netgear
CVE-2022-40619Same vendor: Netgear
CVE-2024-54805Same vendor: Netgear
CVE-2024-54803Same vendor: Netgear

Affected Assets

netgear
rbr750 firmware
≤ 7.2.8.5
netgear
rbr840 firmware
≤ 7.2.8.5
netgear
rbr850 firmware
≤ 7.2.8.5
netgear
rbr860 firmware
≤ 7.2.8.5
netgear
rbs750 firmware
≤ 7.2.8.5
netgear
rbs840 firmware
≤ 7.2.8.5
netgear
rbs850 firmware
≤ 7.2.8.5
netgear
rbs860 firmware
≤ 7.2.8.5
netgear
rbre950 firmware
≤ 7.2.8.5
netgear
rbre960 firmware
≤ 7.2.8.5
+2 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly mandates input validation for external interfaces like DHCPv6, preventing command injection from insufficiently validated inputs.

prevent

SI-2 requires timely flaw remediation through firmware patching, directly addressing the known input validation vulnerability in NETGEAR Orbi DHCPv6.

prevent

CM-7 enforces least functionality by disabling non-essential DHCPv6 on Orbi routers, eliminating exposure to the vulnerable feature.

References