CVE-2026-0408

A path traversal vulnerability in NETGEAR WiFi range extenders allows an attacker with LAN authentication to access the router's IP and review the contents of the dynamically generated webproc file, which records the username and password submitted to the router GUI.

CVSS v3 8.0 HIGH

8.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.1 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory	Vendor Advisory Patch
https://www.netgear.com/support/product/ex2800	Product Patch
https://www.netgear.com/support/product/ex3110	Product Patch
https://www.netgear.com/support/product/ex5000	Product Patch
https://www.netgear.com/support/product/ex6110	Product Patch

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:netgear:ex2800_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:ex2800:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:netgear:ex3110_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:ex3110:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:netgear:ex5000_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:ex5000:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:netgear:ex6110_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:ex6110:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-01-13 16:16

Updated : 2026-02-20 19:41

NVD link : CVE-2026-0408

Mitre link : CVE-2026-0408

CVE.ORG link : CVE-2026-0408

JSON object : View

Products Affected

netgear

ex5000
ex3110_firmware
ex3110
ex6110_firmware
ex2800_firmware
ex2800
ex6110
ex5000_firmware

CWE

CWE-287

Improper Authentication

{"id": "CVE-2026-0408", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.1}], "cvssMetricV40": [{"type": "Secondary", "source": "a2826606-91e7-4eb6-899e-8484bd4575d5", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "USER", "baseScore": 6.1, "Automatable": "NO", "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber", "exploitMaturity": "UNREPORTED", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-13T16:16:11.017", "references": [{"url": "https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory", "tags": ["Vendor Advisory", "Patch"], "source": "a2826606-91e7-4eb6-899e-8484bd4575d5"}, {"url": "https://www.netgear.com/support/product/ex2800", "tags": ["Product", "Patch"], "source": "a2826606-91e7-4eb6-899e-8484bd4575d5"}, {"url": "https://www.netgear.com/support/product/ex3110", "tags": ["Product", "Patch"], "source": "a2826606-91e7-4eb6-899e-8484bd4575d5"}, {"url": "https://www.netgear.com/support/product/ex5000", "tags": ["Product", "Patch"], "source": "a2826606-91e7-4eb6-899e-8484bd4575d5"}, {"url": "https://www.netgear.com/support/product/ex6110", "tags": ["Product", "Patch"], "source": "a2826606-91e7-4eb6-899e-8484bd4575d5"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "a2826606-91e7-4eb6-899e-8484bd4575d5", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability in NETGEAR WiFi range extenders allows\n an attacker with LAN authentication to access the router's IP and \nreview the contents of the dynamically generated webproc file, which \nrecords the username and password submitted to the router GUI."}, {"lang": "es", "value": "Una vulnerabilidad de salto de ruta en extensores de rango WiFi de NETGEAR permite a un atacante con autenticaci\u00f3n LAN acceder a la IP del router y revisar el contenido del archivo webproc generado din\u00e1micamente, que registra el nombre de usuario y la contrase\u00f1a enviados a la GUI del router."}], "lastModified": "2026-02-20T19:41:22.173", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:netgear:ex2800_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "55DC6A0A-B406-4813-ADA4-05F62A50AA3B", "versionEndExcluding": "1.0.1.82"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:netgear:ex2800:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "BE27681D-2B5D-4816-84CD-ACDBAF1A12CD"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:netgear:ex3110_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CAF86049-4F34-4615-B8D5-9B06023F1AE9", "versionEndExcluding": "1.0.1.82"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:netgear:ex3110:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "3C254694-4C37-4C5E-BF1C-06EC09BDCA1B"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:netgear:ex5000_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6D7590BA-50CD-414F-8ED2-458F6227F3CB", "versionEndExcluding": "1.0.1.82"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:netgear:ex5000:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "5F300D51-FEF5-4D49-851C-5B56F6A5087A"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:netgear:ex6110_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6185EE4D-DFB0-4460-8E90-9DF2F1093004", "versionEndExcluding": "1.0.1.82"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:netgear:ex6110:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "04329A16-D96D-4E1D-8AC9-EA3882F1DC41"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "a2826606-91e7-4eb6-899e-8484bd4575d5"}