CVE-2025-12940 in WAX610
Summary
by MITRE • 11/11/2025
Login credentials are inadvertently recorded in logs if a Syslog Server is configured in NETGEAR WAX610 and WAX610Y (AX1800 Dual Band PoE Multi-Gig Insight Managed WiFi 6 Access Points). An user having access to the syslog server can read the logs containing these credentials.
This issue affects WAX610: before 10.8.11.4; WAX610Y: before 10.8.11.4.
Devices managed with Insight get automatic updates. If not, please check the firmware version and update to the latest.
Fixed in:
WAX610 firmware 11.8.0.10 or later.
WAX610Y firmware 11.8.0.10 or later.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/08/2025
This vulnerability represents a critical logging security flaw affecting NETGEAR WAX610 and WAX610Y managed WiFi 6 access points that store login credentials in plain text within syslog messages when a syslog server is configured. The issue stems from improper input sanitization and logging practices where authentication credentials are written to system logs without adequate protection mechanisms. This configuration creates a persistent exposure risk for administrative credentials that are typically considered sensitive information requiring strict handling protocols. The vulnerability directly violates security best practices outlined in the OWASP Top Ten and aligns with CWE-532, which specifically addresses information exposure through log files. Attackers with access to the syslog server can directly retrieve these credentials, potentially gaining unauthorized administrative access to the affected network infrastructure.
The technical implementation flaw occurs during the syslog configuration process where the system fails to properly sanitize or mask authentication parameters before logging them to the remote syslog server. This represents a classic case of insecure logging practices where sensitive data flows through system components without proper filtering or obfuscation. The vulnerability is particularly concerning because it affects devices that are designed for enterprise environments where network security is paramount, and these access points are typically deployed in mission-critical network segments. The issue affects firmware versions prior to 10.8.11.4 for both device models, indicating that the problem existed in multiple firmware iterations and was not properly addressed in the initial versions. This suggests a systemic approach to logging security rather than a one-time oversight, potentially affecting numerous deployed units in enterprise networks.
From an operational perspective, this vulnerability creates significant risk for organizations using these access points, as it provides attackers with a direct pathway to obtain administrative credentials for wireless network infrastructure. The impact extends beyond simple credential theft to potential network compromise, as these access points are often deployed in core network segments where administrative access can lead to broader network infiltration. The vulnerability affects devices managed through NETGEAR Insight, which typically indicates enterprise-grade deployments where security controls are expected to be robust. Organizations relying on these devices for critical network operations face potential exposure to insider threats or external attackers who gain access to the syslog server infrastructure. This issue aligns with ATT&CK technique T1567.002 for "Exfiltration Over Web Service" and T1078.002 for "Valid Accounts" when attackers leverage stolen credentials to maintain persistent access to network infrastructure.
The mitigation strategy involves immediate firmware updates to versions 11.8.0.10 or later for both device models, which would presumably implement proper credential sanitization in syslog outputs. Organizations should also review their syslog server configurations and access controls to ensure that only authorized personnel can access these logs, implementing the principle of least privilege. Network segmentation should be considered to isolate syslog servers from other network components, and additional monitoring should be implemented to detect unauthorized access attempts to syslog infrastructure. Security teams should conduct comprehensive audits of all managed network devices to identify similar logging vulnerabilities and ensure proper input validation across all logging components. The fix addresses the root cause by implementing proper credential filtering mechanisms that prevent sensitive authentication data from being written to log files, thereby protecting against unauthorized credential exposure through log access.