HIGH 8.0

CVE-2026-0419: NETGEAR JR6150 Command Injection via Insufficient Input Validation

A flaw in NETGEAR's JR6150 AC750 WiFi router allows anyone connected to the local wireless network to run arbitrary operating system commands on the device. The vulnerability stems from inadequate checking of user input before executing system-level operations. Because this router model reached end-of-support in 2018, NETGEAR has stated no security patches will be released. The company recommends replacing affected devices with current models that receive ongoing security updates.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.0 HIGH · CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-20
Affected products
2 configuration(s)
Published / Modified
2026-06-09 / 2026-06-18

NVD description (verbatim)

Insufficient input validation in NETGEAR JR6150 (AC750 WiFi Router 802.11ac Dual Band Gigabit released in 2014) allows users connected to the local WiFi Networks to execute operating system commands. NETGEAR JR6150 has reached End-of-Support phase as of 2018 , and no further security updates are planned. NETGEAR strongly recommends replacing these devices with newer NETGEAR models to ensure continued security support and updates. This vulnerability has been identified through firmware emulation in a controlled research environment and has not been verified on production hardware.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-0419 is an OS command injection vulnerability in the NETGEAR JR6150 router firmware resulting from insufficient input validation (CWE-20). The vulnerability allows authenticated local wireless users to achieve unauthenticated command execution with the privileges of the router's operating system. The attack vector is adjacent network (AV:A), requires low attack complexity (AC:L), and requires only low privilege level (PR:L) to exploit. The affected firmware versions run on hardware released in 2014. Notably, this vulnerability was identified through firmware emulation in a controlled lab environment rather than live production device testing, which may influence exploitation assumptions in real-world deployments.

Business impact

Organizations or users still operating JR6150 routers face a critical security gap. Any device on the wireless network—including guest or compromised endpoints—can execute commands to reconfigure the router, exfiltrate traffic, establish persistence, or disable security functions. The lack of available patches means vulnerability remediation is limited to hardware replacement or network isolation. For small offices or home networks using this aging equipment, the risk of undetected compromise is significant, particularly if the router handles sensitive traffic or credentials. This vulnerability underscores the operational risk of retaining end-of-life networking infrastructure.

Affected systems

The NETGEAR JR6150 AC750 WiFi Router (802.11ac Dual Band Gigabit, released in 2014) is affected. All firmware versions for this hardware model are vulnerable. No newer firmware revisions will address this issue, as the product reached end-of-support status in 2018. Organizations using this specific model in production environments are at risk.

Exploitability

The vulnerability carries a CVSS 3.1 score of 8.0 (HIGH severity). Exploitation requires network proximity (the attacker must be connected to the target WiFi network) and low privilege (any authenticated wireless user qualifies as "low privilege" in the context of local network access). Once these conditions are met, no additional user interaction is needed, and the attack succeeds with low complexity. The practical barrier to exploitation is primarily the requirement to be on the wireless network; attackers cannot exploit this remotely from the internet. However, within the local network perimeter, exploitation is straightforward. It is important to note that while this vulnerability was identified through firmware analysis rather than on physical hardware, the attack mechanism is fundamental to input validation and would be expected to function on actual deployed devices.

Remediation

No firmware patches will be released for this product line. NETGEAR explicitly recommends replacing affected JR6150 routers with current models that receive active security support and updates. Organizations should develop a replacement timeline based on risk assessment: high-priority networks should be replaced immediately, while lower-risk deployments may be phased out over a defined migration window. As an interim control, isolating the router from untrusted wireless access—such as disabling guest networks, reducing SSID broadcast, or enforcing strong WPA3 encryption if the hardware supports it—may reduce exposure, but these measures do not eliminate the vulnerability.

Patch guidance

No patch is available or planned for the JR6150. Remediation requires hardware replacement. When procuring replacement routers, verify that the chosen model is within its support lifecycle and receives regular firmware security updates. Evaluate models that support modern encryption standards (WPA3) and have published security update schedules. Document the serial numbers and firmware versions of replaced devices to support lifecycle tracking.

Detection guidance

Monitor JR6150 devices on your network for any suspicious command execution patterns, unusual configuration changes, or unexpected system behavior. Implement network segmentation to isolate end-of-life routers from critical systems. Review wireless access logs for unexpected client activity. Because firmware emulation (rather than production hardware testing) was used in the original research, validate detection signatures and behavioral patterns against your specific deployment before relying solely on detection controls. Network intrusion detection systems may flag unusual command syntax transmitted to the router's management interface. If feasible, enable enhanced logging on the router (if supported by the firmware version) to capture administrative actions.

Why prioritize this

This vulnerability merits immediate attention despite not yet appearing on CISA's Known Exploited Vulnerabilities (KEV) catalog. The combination of HIGH severity (CVSS 8.0), the presence of end-of-life status (eliminating patch options), and local network attack surface makes this a critical infrastructure risk. Any organization still operating JR6150 hardware should prioritize replacement as part of their vulnerability management lifecycle. The lack of KEV listing does not diminish the security exposure; it reflects the recent publication date and the reconnaissance phase of potential attacker interest.

Risk score, explained

The CVSS 3.1 score of 8.0 (HIGH) reflects: (1) high impact on confidentiality, integrity, and availability—an attacker gains full operating system command execution; (2) local attack vector—requires network proximity but no internet-facing exposure; (3) low barriers to exploitation—once on the network, any authenticated user can trigger the flaw; (4) no user interaction required—the attack is direct. The score does not account for the end-of-support factor or the research-only (non-production-validated) status; both of these elevate the practical risk for organizations still running this hardware, as they lack remediation options beyond replacement.

Frequently asked questions

Can this vulnerability be exploited remotely from the internet?

No. The vulnerability requires the attacker to be connected to the target router's WiFi network. An attacker on the internet cannot directly exploit it. However, once an attacker gains access to the wireless network—either through compromising a user's device, breaking weak WiFi encryption, or physical proximity—exploitation becomes trivial.

NETGEAR says the vulnerability was identified through firmware emulation, not tested on actual hardware. Does that mean it might not work in practice?

The emulation-based research methodology is credible for input validation flaws; the vulnerability mechanism is fundamental to how the firmware processes commands. However, you should validate behavior against your specific hardware revision and firmware version if you operate these devices. The core risk remains: insufficient input checking in command processing is a real vulnerability regardless of how it was discovered.

We still have JR6150 routers in the field. What should we do immediately?

First, audit your network to identify all JR6150 devices. Second, if they are in production and handle sensitive traffic, prioritize replacement with a current NETGEAR model or alternative vendor offering active security support. Third, segment your network so the router is isolated from high-value systems. Fourth, enforce strong WiFi encryption (WPA2 minimum, WPA3 if supported) and disable guest networks if not actively used. Patch management at the host level does not address this router firmware issue.

Why is there no patch if this vulnerability is HIGH severity?

The JR6150 reached end-of-support in 2018—a hardware refresh cycle that predates this CVE publication by several years. NETGEAR has closed out security support for this product line. The company's resource allocation prioritizes current product lines. This is a common scenario in consumer electronics; organizations relying on aging hardware must account for the support lifecycle when managing risk.

This vulnerability summary is based on publicly disclosed information as of the publication date. The original vulnerability research relied on firmware emulation in a controlled environment rather than validation on production hardware; organizations should verify applicability to their specific device hardware revision and firmware version. NETGEAR has confirmed end-of-support status and no patches will be released. This summary does not constitute legal, compliance, or warranty advice. Consult NETGEAR's official advisory and your organization's risk assessment process before making remediation decisions. Exploit code and weaponized proof-of-concept techniques are not provided in this analysis. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).