Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-0404

CVE-2026-0404: Netgear Rbr750 Firmware RCE Vulnerability

CVE-2026-0404 is a remote code execution flaw in Netgear Rbr750 Firmware affecting DHCPv6 functionality. Network-adjacent attackers can execute OS commands on the router. This article covers technical details, impact, and mitigation.

Updated:

CVE-2026-0404 Overview

CVE-2026-0404 is an OS command injection vulnerability in the DHCPv6 functionality of NETGEAR Orbi mesh WiFi systems. The flaw stems from insufficient input validation [CWE-20] in how the router processes DHCPv6 messages. An attacker who is network-adjacent and authenticated over WiFi or connected to the LAN can inject operating system commands that execute on the router. DHCPv6 is not enabled by default, which limits the exposed attack surface. NETGEAR published the issue in its January 2026 Security Advisory, and it affects multiple Orbi router, satellite, and extender models including the RBR750, RBR850, RBR860, RBS750, RBS850, RBS860, RBRE950, RBRE960, RBSE950, and RBSE960 product lines.

Critical Impact

A LAN-resident or WiFi-authenticated attacker can execute arbitrary OS commands on the router when DHCPv6 is enabled, leading to full device compromise and a pivot point into the internal network.

Affected Products

  • NETGEAR Orbi routers: RBR750, RBR840, RBR850, RBR860 firmware
  • NETGEAR Orbi satellites: RBS750, RBS840, RBS850, RBS860 firmware
  • NETGEAR Orbi extenders: RBRE950, RBRE960, RBSE950, RBSE960 firmware

Discovery Timeline

Technical Details for CVE-2026-0404

Vulnerability Analysis

The vulnerability resides in the DHCPv6 handling code path on Orbi devices. DHCPv6 (Dynamic Host Configuration Protocol for IPv6) is responsible for assigning IPv6 addresses and configuration parameters to clients on the LAN. The Orbi implementation does not adequately sanitize fields received in DHCPv6 client messages before passing them to a system-level command interpreter. As a result, attacker-controlled content is interpreted as shell metacharacters rather than treated as opaque protocol data.

Exploitation requires the attacker to be on the LAN segment or authenticated to the wireless network, and DHCPv6 must be enabled on the device (it is disabled by default). When those conditions are met, the attacker sends a crafted DHCPv6 message containing shell metacharacters in a parsed option. The router processes the message and executes the injected commands with the privileges of the DHCP handling process, typically root on embedded Linux-based routers.

Root Cause

The root cause is improper input validation [CWE-20] of DHCPv6 protocol fields. The vulnerable code path concatenates client-supplied option values into a command string that is then passed to a shell or system()-style call without escaping, quoting, or whitelisting permitted characters.

Attack Vector

The attack vector is adjacent network. An attacker must already have layer-2 reachability to the router, either as an authenticated WiFi client or as a wired LAN device. The attacker sends a malicious DHCPv6 solicit, request, or related message containing shell metacharacters in a parsable option field. No user interaction is required on the target router. Successful exploitation grants command execution on the device, which can be used to install persistent implants, intercept traffic, modify DNS responses, or pivot to other internal hosts.

No verified public proof-of-concept code is currently available for this issue. Refer to the NETGEAR Security Advisory for vendor technical details.

Detection Methods for CVE-2026-0404

Indicators of Compromise

  • Unexpected outbound connections originating from the router's management IP, particularly to non-NETGEAR infrastructure.
  • DHCPv6 client packets on the LAN containing shell metacharacters such as backticks, $(), ;, |, or & inside option fields like FQDN, vendor class, or client identifier.
  • New or modified processes on the router, unexpected iptables or routing changes, or DNS resolver configuration tampering.
  • Wireless clients that have authenticated successfully but generate anomalous DHCPv6 traffic volumes or option content.

Detection Strategies

  • Inspect DHCPv6 traffic on the LAN with a packet capture or network sensor and alert on option strings containing shell metacharacters.
  • Correlate authenticated WiFi association events with subsequent DHCPv6 message anomalies from the same MAC address.
  • Monitor router syslog and SNMP telemetry for unexpected process spawns, configuration changes, or reboots following DHCPv6 activity.

Monitoring Recommendations

  • Forward router, DHCP, and wireless authentication logs into a centralized analytics platform such as Singularity Data Lake to baseline normal DHCPv6 behavior and surface deviations.
  • Track endpoint telemetry on LAN-connected hosts with Singularity Endpoint to identify any post-exploitation pivot activity such as lateral scans or credential access attempts.
  • Audit which Orbi devices in the environment have DHCPv6 enabled and review whether that service is required.

How to Mitigate CVE-2026-0404

Immediate Actions Required

  • Apply the firmware updates listed in the NETGEAR Security Advisory January 2026 to every affected Orbi router, satellite, and extender.
  • Disable DHCPv6 on Orbi devices where IPv6 dynamic configuration is not required, since the service is not enabled by default and removing it eliminates the attack surface.
  • Enforce WPA2/WPA3 with strong unique passphrases and review the WiFi client list to remove unknown or stale devices that could serve as attacker footholds.
  • Segment guest WiFi from the management VLAN so adjacent attackers on guest networks cannot reach the router's DHCPv6 service.

Patch Information

NETGEAR has released fixed firmware for each affected Orbi model. Consult the model-specific support pages, including the RBR750, RBR850, RBR860, RBS750, RBS850, RBS860, RBRE950, RBRE960, RBSE950, and RBSE960 pages, for the exact firmware versions and download links.

Workarounds

  • Leave DHCPv6 disabled if there is no business requirement for stateful IPv6 address assignment from the router.
  • Restrict WiFi access using MAC filtering or 802.1X where supported, and rotate the WiFi passphrase to force reauthentication of trusted clients.
  • Place the Orbi management interface on a dedicated VLAN that is not reachable from user or guest segments.
bash
# Verify and disable DHCPv6 on the Orbi web UI path (illustrative)
# Navigate: ADVANCED > Advanced Setup > IPv6
# Internet Connection Type: set to a non-DHCPv6 option (e.g., Auto Config or Disabled)
# Save and reboot the device

# After patching, confirm running firmware on the admin page:
# ADVANCED > Administration > Router Update > Check

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne