CVE-2022-40619Command Injection in Netgear R6230 Firmware

CWE-77Command Injection4 documents4 sources
Severity
7.7HIGHNVD
EPSS
1.1%
top 22.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
10
Netgear R6230 FirmwareNetgear R6260 FirmwareNetgear R7000 Firmware+7 more
Timeline
PublishedJan 28

Description

FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, exposes an HTTP server over the LAN interface of affected devices. This interface is vulnerable to unauthenticated arbitrary command injection through the funjsq_access_token parameter. This affects R6230 before 1.1.0.112, R6260 before 1.1.0.88, R7000 before 1.0.11.134, R8900 before 1.0.5.42, R9000 before 1.0.5.42, and XR300 before 1.0.3.72 and Orbi RBR20 before 2.7.2.26, RBR50 before 2.7.4.26, RBS20 before 2.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:LExploitability: 2.2 | Impact: 5.5

Affected Packages10 packages

NVDnetgear/r6230_firmware< 1.1.0.112
NVDnetgear/r6260_firmware< 1.1.0.88
NVDnetgear/r7000_firmware< 1.0.11.134
NVDnetgear/r8900_firmware< 1.0.5.42
NVDnetgear/r9000_firmware< 1.0.5.42

🔴Vulnerability Details

3
GHSA
GHSA-5gwm-h32x-cppq: FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, exposes an HTTP server over the LAN interface of affected devic2026-01-28
CVEList
CVE-2022-40619: FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, exposes an HTTP server over the LAN interface of affected devic2026-01-28
VulnCheck
NETGEAR Routers FunJSQ Vulnerability2022
CVE-2022-40619 — Command Injection in Netgear | cvebase