CVE-2022-40620

CWE-295 — Improper Certificate Validation3 documents3 sources

Severity

7.7HIGH

EPSS

0.1%

top 67.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Netgear R6230 Firmware Netgear R6260 Firmware Netgear R7000 Firmware +7 more

Timeline

PublishedJan 28

Description

FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, does not properly validate TLS certificates when downloading update packages through its auto-update mechanism. An attacker (suitably positioned on the network) could intercept the update request and deliver a malicious update package in order to gain arbitrary code execution on affected devices. This affects R6230 before 1.1.0.112, R6260 before 1.1.0.88, R7000 before 1.0.11.134, R8900 before 1.0.5.42, R9000 b…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:LExploitability: 2.2 | Impact: 5.5

Affected Packages10 packages

▶NVDnetgear/r6230_firmware< 1.1.0.112

▶NVDnetgear/r6260_firmware< 1.1.0.88

▶NVDnetgear/r7000_firmware< 1.0.11.134

▶NVDnetgear/r8900_firmware< 1.0.5.42

▶NVDnetgear/r9000_firmware< 1.0.5.42

🔴Vulnerability Details

GHSA

GHSA-8cgh-w254-67rw: FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, does not properly validate TLS certificates when downloading up↗2026-01-28

▶

CVEList

CVE-2022-40620: FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, does not properly validate TLS certificates when downloading up↗2026-01-28

▶