CVE-2022-40620

Name of the Vulnerable Software and Affected Versions NETGEAR R6230 versions prior to 1.1.0.112 NETGEAR R6260 versions prior to 1.1.0.88 NETGEAR R7000 versions prior to 1.0.11.134 NETGEAR R8900 versions prior to 1.0.5.42 NETGEAR R9000 versions prior to 1.0.5.42 NETGEAR XR300 versions prior to 1.0.3.72 NETGEAR Orbi RBR20 versions prior to 2.7.2.26 NETGEAR Orbi RBR50 versions prior to 2.7.4.26 NETGEAR Orbi RBS20 versions prior to 2.7.2.26 NETGEAR Orbi RBS50 versions prior to 2.7.4.26

Description The FunJSQ module, integrated into certain NETGEAR routers and Orbi WiFi Systems, does not correctly validate TLS certificates during the automatic update process. This allows a network-based attacker to intercept the update request and deliver a malicious update package, potentially leading to arbitrary code execution on affected devices.

Recommendations Update NETGEAR R6230 to version 1.1.0.112 or later. Update NETGEAR R6260 to version 1.1.0.88 or later. Update NETGEAR R7000 to version 1.0.11.134 or later. Update NETGEAR R8900 to version 1.0.5.42 or later. Update NETGEAR R9000 to version 1.0.5.42 or later. Update NETGEAR XR300 to version 1.0.3.72 or later. Update NETGEAR Orbi RBR20 to version 2.7.2.26 or later. Update NETGEAR Orbi RBR50 to version 2.7.4.26 or later. Update NETGEAR Orbi RBS20 to version 2.7.2.26 or later. Update NETGEAR Orbi RBS50 to version 2.7.4.26 or later.