CVE-2025-12941 in C6220
Summary
by MITRE • 12/09/2025
Denial of Service Vulnerability in NETGEAR C6220 and C6230 (DOCSIS® 3.0 Two-in-one Cable Modem + WiFi Router) allows authenticated local WiFi users reboot the router.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/17/2026
This vulnerability affects NETGEAR C6220 and C6230 cable modems that operate as DOCSIS 3.0 two-in-one devices combining cable modem and WiFi router functionality. The issue stems from insufficient access controls within the device's web interface, specifically in the administrative functions that handle device reboots. An authenticated local WiFi user who has access to the device's administrative interface can exploit this weakness to trigger an unauthorized system reboot, effectively causing a denial of service condition that disrupts network connectivity for all connected devices.
The technical flaw resides in the lack of proper authentication verification for critical system operations within the device's web administration panel. When an authenticated user attempts to initiate a reboot command through the web interface, the system fails to validate whether the user possesses the necessary privileges to perform such an operation. This represents a classic access control vulnerability that aligns with CWE-285, which addresses insufficient authorization in security-critical functions. The vulnerability exists because the device does not properly enforce role-based access controls for administrative operations, allowing any authenticated user to escalate their privileges to perform system-level actions.
From an operational perspective, this vulnerability creates significant disruption for end users who rely on continuous network connectivity. The denial of service impacts not only the local network but also potentially affects downstream services that depend on stable internet access. An attacker with local WiFi access could repeatedly trigger reboots, causing persistent network outages that would require manual intervention to restore service. The impact extends beyond simple inconvenience as many modern devices and services depend on continuous network availability for proper operation.
The vulnerability can be exploited through a straightforward web interface interaction where an authenticated user navigates to the reboot function within the device's administrative panel. No specialized tools or complex attack vectors are required, making this particularly dangerous as it can be exploited by anyone with legitimate WiFi credentials. The device's configuration allows local network users to access the administrative interface without additional authentication barriers, which violates the principle of least privilege and creates an unnecessary attack surface.
Mitigation strategies should focus on implementing proper access controls and privilege separation within the device's web interface. Network administrators should immediately disable unnecessary administrative access for local users and ensure that only authorized personnel have access to critical system functions. Regular firmware updates from NETGEAR should be deployed to address this vulnerability, while network segmentation can help limit the impact of such attacks. Additionally, implementing network monitoring to detect unusual reboot patterns can provide early warning of potential exploitation attempts. This vulnerability highlights the importance of following security best practices such as those outlined in the NIST Cybersecurity Framework and aligns with ATT&CK technique T1499.001 for network denial of service attacks.