MEDIUM 6.4

CVE-2026-0409: NETGEAR Orbi 370 Series Command Injection Firmware Vulnerability

NETGEAR Orbi 370 series mesh routers contain a vulnerability that allows attackers to execute arbitrary commands on the device. An attacker must intercept and modify network traffic between the router and the Internet, then wait for the device administrator to perform specific management actions. The vulnerability affects Orbi 370, 371, 372, and 374 models running firmware versions prior to V12.1.2.7.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-119
Affected products
8 configuration(s)
Published / Modified
2026-06-09 / 2026-06-18

NVD description (verbatim)

A NETGEAR security issue that could allow an attacker with ability to intercept and tamper with traffic between the router and the Internet to run commands on your device when the device administrator performs certain specific management actions. This issue affects NETGEAR Orbi 370 series devices before V12.1.2.7.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-0409 is a command injection vulnerability (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer) in NETGEAR Orbi 370 series devices. The flaw requires an attacker positioned to intercept and tamper with traffic (man-in-the-middle capability) between the router and upstream Internet connectivity. Exploitation depends on high complexity conditions: the attacker must time their payload injection to coincide with administrative management operations performed by a device operator. The attack does not work against standard user traffic or without active administrator intervention. CVSS v3.1 score of 6.4 (MEDIUM) reflects the high complexity and prerequisites required, balanced against the severity of complete compromise if successfully exploited.

Business impact

Successful exploitation grants attackers command execution privileges on the router, potentially enabling lateral movement into corporate or residential networks. Compromised routers become persistent attack infrastructure: they can intercept encrypted sessions, harvest credentials, redirect traffic, or serve as pivot points into connected devices. For organizations relying on Orbi 370 series for network perimeter defense or SOHO deployments, this represents a threat to confidentiality, integrity, and availability of downstream assets. The requirement for active administrator intervention means the risk window is narrower than unauthenticated remote exploits, but administrative actions (firmware updates, settings changes) occur regularly enough to present ongoing risk.

Affected systems

NETGEAR Orbi 370 series is affected: specifically the RBE370, RBE371, RBE372, and RBE374 models and their associated firmware images. All versions prior to firmware version V12.1.2.7 are vulnerable. Organizations and users should audit device inventory to identify which Orbi 370 series units are deployed and currently running firmware versions below the patched threshold.

Exploitability

Exploitation requires multiple preconditions that limit widespread automated attacks. The attacker must: (1) position themselves on the network path between the target router and the Internet (man-in-the-middle), (2) identify or monitor for specific administrative management actions by the device administrator, and (3) inject a malicious payload at the precise moment when those actions are executed. This is not a zero-click or unauthenticated remote vulnerability. The CVSS vector (AC:H, PR:H, UI:R) confirms high attack complexity and the need for prior administrative-level context. Real-world exploitation likelihood is elevated in scenarios where attackers already control upstream ISP infrastructure, compromised backbone routers, or can perform DNS/BGP hijacking, but much lower in standard threat environments.

Remediation

Organizations and users must upgrade affected Orbi 370 series devices to firmware version V12.1.2.7 or later. NETGEAR has released a patched firmware build that addresses the vulnerability. Verify the exact firmware version available for your specific model (RBE370, RBE371, RBE372, RBE374) on the NETGEAR support website before upgrading. Once patched, the command injection vector is closed and administrative actions no longer create a window for this exploitation path.

Patch guidance

Prioritize firmware updates for all Orbi 370 series devices in your environment. The patch is available as firmware version V12.1.2.7 or later. Most NETGEAR routers support automatic or manual firmware updates through the web admin interface or mobile app. Verify successful patch application by confirming the running firmware version matches or exceeds V12.1.2.7. Stagger updates to avoid simultaneous loss of network connectivity, or apply patches during maintenance windows. Before updating, back up any custom configuration if applicable. NETGEAR advisories should be consulted for model-specific update procedures.

Detection guidance

Detection of exploitation is difficult because the attack requires valid man-in-the-middle positioning and depends on timing with legitimate administrative actions. Network monitoring can identify suspicious outbound connections or unusual command patterns originating from the router after administrative activities occur. Log inspection on the router (if accessible and retained) may show unexpected command execution entries around times of management operations. Passive network telemetry looking for unexplained data exfiltration or C2-like traffic from the router's LAN IP may surface compromises post-facto. Monitor for unexpected firmware version regressions or configuration changes. Given the MITM requirement, detecting the attack vector itself (traffic interception) is primary: implement DNSSEC, monitor for BGP anomalies, and enforce encrypted tunnels for critical traffic.

Why prioritize this

Although CVE-2026-0409 carries a MEDIUM CVSS score and requires high-complexity preconditions, it should be prioritized because: (1) the impact of successful exploitation is complete router compromise, affecting all downstream network segments; (2) routers are rarely isolated or easily patched in many environments, creating long dwell windows; (3) the device is on the network edge, making it a valuable pivot point for attackers who achieve MITM positioning; (4) administrative users perform management actions regularly, refreshing the exploitation window. Organizations with Orbi 370 series devices should update within 60-90 days; those in high-trust networks or serving sensitive workloads should prioritize to 30 days.

Risk score, explained

The CVSS 6.4 (MEDIUM) score appropriately reflects the attack prerequisites: high complexity (AC:H), high privilege level (PR:H), and user interaction (UI:R) all reduce the likelihood of exploitation. However, this does not minimize the impact—compromise grants high confidentiality, integrity, and availability impact (C:H, I:H, A:H). The network-accessible attack vector (AV:N) ensures the vulnerability is not purely local. The moderate score should not delay patching; it reflects that exploitation requires specialized attacker capability and favorable timing rather than widespread risk to unpatched devices.

Frequently asked questions

Do I need to be connected to the Internet for this vulnerability to be exploited?

Yes and no. The attacker must intercept traffic between your Orbi router and the Internet, so your router must be online. However, they do not need access to your local Wi-Fi or LAN—they need to position themselves on the path between your router and your ISP, which typically requires compromise of upstream infrastructure or the ability to perform BGP/DNS hijacking. Once they are in that position, they can wait for you to perform administrative actions.

What counts as a 'specific management action' that triggers the vulnerability?

The CVE description references 'certain specific management actions' without publicly detailing which ones. This is typical in early disclosures to avoid weaponization. Review NETGEAR's advisory and security bulletin for clarification, or assume that any administrative operation (firmware updates, settings changes, password resets, device reboot through web interface) could potentially trigger the vulnerability. Apply the patch rather than attempting to identify and avoid specific actions.

Does upgrading firmware delete my router settings?

Firmware updates typically preserve your router configuration and Wi-Fi settings. However, always back up your configuration before upgrading, and test in a non-production environment if feasible. Consult NETGEAR's update guide for your specific model (RBE370, RBE371, RBE372, or RBE374) for detailed pre-update steps.

Is this vulnerability actively being exploited in the wild?

CVE-2026-0409 is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, which means there is no confirmed evidence of active exploitation at the time of publication. However, absence of evidence is not evidence of absence. Given the attack complexity, widespread exploitation by commodity malware is unlikely, but targeted attackers with network position (e.g., rogue ISPs, nation-state actors) remain potential adversaries. Patch as part of routine maintenance rather than as an emergency response.

This analysis is based on publicly available CVE data and NETGEAR vendor advisories as of the publication date. SEC.co does not produce or verify exploit code, and this document contains no weaponizable proof-of-concept details. Patch version numbers and affected product lists are sourced from authoritative vendor advisories; always verify against the latest NETGEAR security bulletins before deploying patches. CVSS scores and severity ratings reflect industry standard metrics but may be reassessed as new information emerges. Organizations should conduct their own risk assessment based on network architecture, exposure, and threat model. This explainer is provided for informational purposes and does not constitute legal, compliance, or professional security advice. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).