CVE-2022-40619 Overview
CVE-2022-40619 is an unauthenticated command injection vulnerability affecting FunJSQ, a third-party module integrated into various NETGEAR routers and Orbi WiFi Systems. The vulnerability exists in an HTTP server exposed over the LAN interface of affected devices, allowing attackers to execute arbitrary commands through the funjsq_access_token parameter without requiring authentication.
Critical Impact
Attackers on the local network can achieve full device compromise through unauthenticated arbitrary command execution, potentially leading to complete takeover of affected NETGEAR routers and Orbi WiFi systems.
Affected Products
- NETGEAR R6230 before version 1.1.0.112
- NETGEAR R6260 before version 1.1.0.88
- NETGEAR R7000 before version 1.0.11.134
- NETGEAR R8900 before version 1.0.5.42
- NETGEAR R9000 before version 1.0.5.42
- NETGEAR XR300 before version 1.0.3.72
- Orbi RBR20 before version 2.7.2.26
- Orbi RBR50 before version 2.7.4.26
- Orbi RBS20 before version 2.7.2.26
- Orbi RBS50 before version 2.7.4.26
Discovery Timeline
- 2026-01-28 - CVE-2022-40619 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2022-40619
Vulnerability Analysis
This vulnerability is classified as CWE-77 (Command Injection) and affects the FunJSQ module's HTTP server that is exposed on the LAN interface of affected NETGEAR devices. The vulnerability allows network-adjacent attackers to inject and execute arbitrary operating system commands without any form of authentication. The attack requires network access but involves complex exploitation conditions. Successful exploitation can lead to complete confidentiality and integrity compromise of the affected device, with limited impact on availability.
Root Cause
The root cause of CVE-2022-40619 lies in improper input validation within the FunJSQ module's HTTP request handling. Specifically, the funjsq_access_token parameter is not properly sanitized before being processed, allowing attackers to inject shell metacharacters and arbitrary commands. The lack of authentication on this endpoint compounds the severity, as any user with LAN access can exploit the vulnerability without credentials.
Attack Vector
The attack vector is network-based, requiring the attacker to be on the same local network as the vulnerable device. The attacker sends a specially crafted HTTP request to the FunJSQ HTTP server endpoint, including malicious payloads within the funjsq_access_token parameter. Since the parameter value is passed to a shell command without proper sanitization, the injected commands are executed with the privileges of the HTTP server process, typically running as root on embedded router systems.
The exploitation involves sending crafted HTTP requests to the local HTTP server exposed by the FunJSQ module. By manipulating the funjsq_access_token parameter with shell metacharacters and command sequences, an attacker can break out of the intended parameter context and execute arbitrary system commands. For detailed technical information, refer to the OneKey Security Advisory on FunJSQ.
Detection Methods for CVE-2022-40619
Indicators of Compromise
- Unusual HTTP traffic to internal router interfaces on non-standard ports associated with FunJSQ services
- Unexpected processes spawning from the HTTP server process on the router
- Modified system configuration files or unauthorized firmware changes
- Outbound connections from the router to unknown external IP addresses
Detection Strategies
- Monitor network traffic for suspicious HTTP requests containing shell metacharacters (;, |, $(), backticks) in request parameters directed at router management interfaces
- Implement network segmentation and monitor for unauthorized LAN traffic patterns targeting router services
- Deploy intrusion detection rules to identify command injection patterns in HTTP parameters
Monitoring Recommendations
- Enable logging on affected NETGEAR devices if supported and regularly review for anomalous activity
- Monitor for unexpected configuration changes or new user accounts on router devices
- Implement network-based monitoring to detect lateral movement attempts from compromised routers
How to Mitigate CVE-2022-40619
Immediate Actions Required
- Update all affected NETGEAR routers and Orbi WiFi Systems to the latest firmware versions immediately
- Restrict access to router management interfaces to trusted devices only
- Segment network to limit exposure of vulnerable devices until patches can be applied
- Review router configurations for signs of compromise before and after patching
Patch Information
NETGEAR has released firmware updates addressing this vulnerability. Users should download and install the latest firmware versions from the official NETGEAR support website. Refer to the Netgear Security Advisory PSV-2022-0117 for detailed patching instructions and firmware download links.
The following minimum firmware versions address CVE-2022-40619:
- R6230: 1.1.0.112
- R6260: 1.1.0.88
- R7000: 1.0.11.134
- R8900: 1.0.5.42
- R9000: 1.0.5.42
- XR300: 1.0.3.72
- RBR20: 2.7.2.26
- RBR50: 2.7.4.26
- RBS20: 2.7.2.26
- RBS50: 2.7.4.26
Workarounds
- Implement network access controls to restrict which devices can communicate with router management interfaces
- If the FunJSQ feature is not required, investigate whether it can be disabled through router settings
- Consider placing vulnerable devices behind an additional firewall or access control layer until patches are applied
# Example: Verify current firmware version on NETGEAR router
# Access router admin interface and navigate to:
# Advanced > Administration > Firmware Update
# Compare installed version against patched versions listed above
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
