CVE-2022-40619

Name of the Vulnerable Software and Affected Versions NETGEAR routers and Orbi WiFi Systems versions prior to 1.1.0.112 NETGEAR R6260 versions prior to 1.1.0.88 NETGEAR R7000 versions prior to 1.0.11.134 NETGEAR R8900 versions prior to 1.0.5.42 NETGEAR R9000 versions prior to 1.0.5.42 NETGEAR XR300 versions prior to 1.0.3.72 NETGEAR Orbi RBR20 versions prior to 2.7.2.26 NETGEAR Orbi RBR50 versions prior to 2.7.4.26 NETGEAR Orbi RBS20 versions prior to 2.7.2.26 NETGEAR Orbi RBS50 versions prior to 2.7.4.26

Description A third-party module, FunJSQ, integrated into some NETGEAR routers and Orbi WiFi Systems exposes an HTTP server over the LAN interface of affected devices. This interface is susceptible to unauthenticated arbitrary command injection through the funjsq access token parameter.

Recommendations Update NETGEAR routers and Orbi WiFi Systems to version 1.1.0.112 or later. Update NETGEAR R6260 to version 1.1.0.88 or later. Update NETGEAR R7000 to version 1.0.11.134 or later. Update NETGEAR R8900 to version 1.0.5.42 or later. Update NETGEAR R9000 to version 1.0.5.42 or later. Update NETGEAR XR300 to version 1.0.3.72 or later. Update NETGEAR Orbi RBR20 to version 2.7.2.26 or later. Update NETGEAR Orbi RBR50 to version 2.7.4.26 or later. Update NETGEAR Orbi RBS20 to version 2.7.2.26 or later. Update NETGEAR Orbi RBS50 to version 2.7.4.26 or later.