CVE-2026-0411: NETGEAR Orbi Admin Takeover via Information Disclosure
A security flaw in NETGEAR Orbi mesh WiFi systems could let someone already on your network steal administrator credentials and take control of your router. The vulnerability affects specific satellite models in the RBR, RBE, and RBS product lines. Standalone Orbi systems without satellites are not at risk. An attacker with network access could escalate from regular user to full administrative control without needing to interact with the device itself.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.0 HIGH · CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-200
- Affected products
- 10 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-18
NVD description (verbatim)
An information disclosure vulnerability in the NETGEAR Orbi satellites (RBR/RBE/RBS Series) could allow a user connected to your network to gain administrator access to the Orbi router. The listed NETGEAR models are affected by this vulnerability. Orbi WiFi Systems without satellite devices are not impacted by this issue.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-0411 is an information disclosure vulnerability (CWE-200) in NETGEAR Orbi satellite firmware that exposes sensitive data allowing unauthorized privilege escalation. The vulnerability requires an attacker to already be connected to the network (adjacent network access vector) and possess at least basic user-level privileges, but does not require user interaction. Once exploited, an attacker gains high-impact confidentiality, integrity, and availability compromises—effectively achieving administrator-level command of the affected Orbi system. The flaw is specific to mesh configurations that include satellite devices; standard single-unit Orbi deployments are unaffected.
Business impact
Compromise of Orbi administrative credentials could allow an attacker to modify network settings, intercept traffic, disable security policies, or pivot to connected devices on the home or small-business network. For managed service providers or corporate deployments using Orbi systems, this could result in lateral movement into employee or customer infrastructure. The requirement for prior network access limits the immediate risk to trusted insiders or users who have already breached the perimeter, but the severity of full admin access makes this a meaningful threat in multi-user or guest-network environments.
Affected systems
The vulnerability affects NETGEAR Orbi models RBR350, RBR760, RBE970, RBS350, and RBS760, including both the firmware and hardware in these product lines. Only systems that include satellite devices are vulnerable; standalone Orbi WiFi systems are explicitly not impacted. Organizations should verify which specific firmware versions on these models are vulnerable by consulting NETGEAR's official security advisories.
Exploitability
Exploitation requires an attacker to already have network connectivity to the affected Orbi system and possess user-level privileges or guest access. The attack surface is therefore limited to individuals already inside the network perimeter or those with social-engineering access. The low complexity of the attack once prerequisites are met, combined with the absence of required user interaction, means that anyone fulfilling the access criteria could potentially execute the exploit without technical sophistication. The vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, and no public exploit code has been confirmed.
Remediation
NETGEAR has released security patches for affected Orbi satellite firmware. Administrators should immediately check for available firmware updates for their specific RBR, RBE, or RBS models through the Orbi app or web management console and apply them as soon as feasible. Until patches are deployed, consider restricting guest network access, disabling remote management features, and reviewing logged-in users to the Orbi system. Verify the patched firmware version against NETGEAR's official advisory to confirm the vulnerability is addressed.
Patch guidance
Access your Orbi system's web interface or mobile app and navigate to Settings > System. Check for available firmware updates and install them immediately. NETGEAR typically pushes updates automatically, but manual installation may be necessary for systems not connected to internet or with auto-update disabled. After patching, power-cycle the Orbi system to ensure all satellites and the router receive the update. Document the firmware version before and after the update. Verify that the patched version matches NETGEAR's published security advisory to confirm the vulnerability is resolved.
Detection guidance
Monitor Orbi system logs for unauthorized login attempts or privilege escalation events. If web access is available, check Settings > Administration Logs for suspicious activity. Organizations with Orbi systems should verify user account lists and ensure no unexpected administrator accounts have been created. Network-based detection could include monitoring for unusual traffic patterns originating from Orbi devices after initial compromise. If you suspect exploitation, reset the Orbi system to factory defaults, reconfigure with a strong new password, and patch to the latest firmware.
Why prioritize this
This vulnerability merits immediate attention due to its HIGH CVSS score (8.0), the potential for administrative takeover of network infrastructure, and the low barrier to exploitation for anyone already on the network. In mixed-trust environments—such as offices with guest networks, multi-family housing, or managed service provider deployments—the risk is elevated. Although KEV status is not confirmed and exploits are not widely public, the severity of potential impact (full device control) and the specificity of affected hardware lines make this a clear prioritization candidate.
Risk score, explained
The CVSS 3.1 score of 8.0 (HIGH) reflects a vulnerability requiring adjacent network access and low user privileges (PR:L), but delivering high impact across confidentiality, integrity, and availability (C:H/I:H/A:H) with no user interaction required (UI:N) and a single security scope (S:U). While the attack prerequisites (network access + user privileges) are not trivial in isolation, once met they enable complete administrative compromise. The HIGH severity is justified by the potential for full device takeover and the frequency with which satellite networks are deployed in environments with multiple users or guest access.
Frequently asked questions
Does this affect all NETGEAR Orbi systems?
No. Only Orbi systems that include satellite devices are vulnerable. Specifically, the RBR350, RBR760, RBE970, RBS350, and RBS760 models are affected. Standalone Orbi WiFi systems without satellites are not impacted by this vulnerability.
Can an attacker exploit this from outside my network?
No. The vulnerability requires the attacker to already be connected to your Orbi network and have at least basic user-level access. This limits exploitation to insiders, guests with network access, or individuals who have already compromised a device on your network. Remote exploitation is not possible.
What should I do if I suspect my Orbi has been compromised?
Immediately check your Orbi admin account for unauthorized changes, review the administration logs for suspicious activity, and verify no unexpected admin accounts exist. Apply the latest firmware patch, then consider a factory reset and reconfiguration with a new strong password. If you believe data was exfiltrated, monitor connected devices for signs of compromise.
Is there active exploitation in the wild?
As of the latest update, this vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, and no widespread exploitation has been publicly confirmed. However, you should still prioritize patching given the severity and the specificity of the affected models.
This analysis is provided for informational purposes and reflects the vulnerability details as published. Specific patch version numbers, timelines, and full technical indicators should be verified against NETGEAR's official security advisories. Organizations should conduct their own risk assessment based on their network architecture and threat model. SEC.co does not guarantee the completeness or real-time accuracy of this intelligence and recommends consulting primary vendor sources for the most current remediation guidance. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-69755HIGHNeterbit NW-431F Router RCE and Data Exposure Vulnerability
- CVE-2026-36611HIGHMercusys AC12G Memory Disclosure Vulnerability
- CVE-2026-41032HIGHNetwork Controller Unauthenticated Log File Disclosure Vulnerability
- CVE-2026-45300HIGHAsyncHttpClient Cookie Leakage on Cross-Origin Redirects
- CVE-2026-45332HIGHAutomad Unauthenticated Administrator Credential Exposure
- CVE-2026-45553HIGHNiceGUI reStructuredText File Disclosure Vulnerability
- CVE-2026-49187HIGHAcer Connect M6E 5G Unvalidated Resource Exposure
- CVE-2026-49193HIGHAcer Connect M6E 5G Cloud Storage Telemetry Exposure (CVSS 7.5)