CVE-2026-0404 in RBRE960
Summary
by MITRE • 01/13/2026
An insufficient input validation vulnerability in NETGEAR Orbi devices' DHCPv6 functionality allows network adjacent attackers authenticated over WiFi or on LAN to execute OS command injections on the router. DHCPv6 is not enabled by default.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/12/2026
The vulnerability identified as CVE-2026-0404 represents a critical security flaw within NETGEAR Orbi device firmware that stems from inadequate input validation mechanisms within the DHCPv6 implementation. This issue specifically affects wireless routers and mesh networking systems that utilize the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) functionality. The vulnerability exists in the way these devices process incoming DHCPv6 packets, particularly when handling certain parameter values that are not properly sanitized or validated before being processed by the underlying operating system. The flaw manifests when the device receives specially crafted DHCPv6 messages that contain maliciously formatted input data, which then gets interpreted and executed as system commands without proper security controls.
Network adjacent attackers who possess the ability to communicate with the affected devices over either wireless WiFi networks or wired local area networks can exploit this vulnerability to execute arbitrary operating system commands on the router itself. The attack vector requires physical proximity or network access to the device, as the vulnerability does not permit remote exploitation from external networks. However, the security implications are severe because the compromised device could be used to gain full administrative control over the network infrastructure, potentially allowing attackers to redirect traffic, install malicious software, or establish persistent access points within the network environment. The DHCPv6 protocol itself is designed to automatically configure IPv6 network parameters for devices, but in this case, the implementation fails to properly validate the integrity of received data, creating a command injection pathway.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it enables attackers to compromise the entire network infrastructure controlled by the affected router. When successfully exploited, the command injection allows attackers to execute privileged operations that could include modifying network configurations, accessing sensitive data stored on the device, or even installing backdoors for continued access. The fact that DHCPv6 is not enabled by default provides some mitigation, but this only serves to reduce the attack surface rather than eliminate the risk entirely. Organizations that have enabled DHCPv6 functionality on their NETGEAR Orbi devices remain vulnerable to this attack, particularly in environments where wireless access points are deployed and network segmentation is insufficient. This vulnerability aligns with CWE-77 and CWE-94 categories, representing both command injection and insufficient input validation issues that are commonly exploited in network infrastructure devices.
Security professionals should prioritize addressing this vulnerability through firmware updates provided by NETGEAR, as the manufacturer has likely released patches to correct the input validation flaws in the DHCPv6 implementation. Network administrators should also consider implementing additional monitoring and access controls to detect unusual DHCPv6 traffic patterns that might indicate exploitation attempts. The mitigation strategy should include disabling DHCPv6 functionality if it is not required for the network environment, as this represents the most immediate and effective defensive measure. Additionally, network segmentation and access control lists can help limit the potential impact of exploitation by restricting unauthorized network access to devices that might be vulnerable. This vulnerability demonstrates the importance of validating all network inputs and implementing proper security controls within network infrastructure devices, as highlighted by ATT&CK technique T1059.004 for command and scripting interpreter usage, which is directly applicable to the command injection scenario described in this vulnerability.