CVE-2026-0405 Overview
CVE-2026-0405 is an authentication bypass vulnerability [CWE-287] affecting a broad range of NETGEAR Orbi mesh routers and satellites. The flaw allows any user already connected to the local area network (LAN) to access the router web interface with administrative privileges. Exploitation requires adjacent network access but no valid credentials, meaning guest Wi-Fi clients, compromised endpoints, or untrusted IoT devices on the same network segment can take full control of the device. NETGEAR published a security advisory in January 2026 covering multiple Orbi and Nighthawk Mesh product lines.
Critical Impact
Any device on the local network can bypass authentication and gain administrator access to the Orbi router web interface, enabling DNS hijacking, traffic interception, and persistent firmware-level compromise.
Affected Products
- NETGEAR Orbi routers and satellites: RBR750/RBR840/RBR850/RBR860, RBS750/RBS840/RBS850/RBS860
- NETGEAR Orbi WiFi 7 and WiFi 6E series: RBE370/371/372/373/374, RBE770/771/772/773, RBE970/971
- NETGEAR cable and 5G gateway models: CBR750, NBR750, plus RBRE950/RBRE960 and RBSE950/RBSE960 extenders
Discovery Timeline
- 2026-01-13 - CVE-2026-0405 published to NVD
- 2026-02-12 - Last updated in NVD database
Technical Details for CVE-2026-0405
Vulnerability Analysis
The vulnerability resides in the authentication logic of the Orbi web management interface. According to the NETGEAR advisory, the router fails to properly verify the identity of clients issuing requests from the LAN. As a result, a user on the local network can reach administrative endpoints without supplying valid credentials and operate the device as an admin.
The CWE-287 classification (Improper Authentication) indicates the underlying defect is in how authentication state is established or validated, rather than a credential disclosure issue. Once an attacker achieves admin access, they control router configuration including DNS settings, firewall rules, port forwarding, remote management options, and firmware update behavior.
Because the attack vector is Adjacent Network, exploitation is constrained to attackers with Layer 2 reachability. In practice, this includes guest network clients, devices on the main SSID, employees on home offices using the affected router, and any compromised IoT device sharing the network.
Root Cause
The root cause is improper authentication enforcement on the router's web interface. The device treats requests originating from the local network as trusted, or accepts requests that lack a valid authenticated session for administrative actions. NETGEAR has not disclosed the specific implementation detail in its public advisory.
Attack Vector
An attacker on the LAN sends crafted HTTP requests directly to the Orbi web interface. Without supplying admin credentials, the attacker accesses configuration pages and persists changes. No user interaction is required on the victim side, and exploitation does not require prior knowledge of the admin password.
No public proof-of-concept exploit code is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the NETGEAR Security Advisory January 2026 for vendor-supplied technical context.
Detection Methods for CVE-2026-0405
Indicators of Compromise
- Unexpected changes to Orbi router configuration: DNS servers, WAN settings, port forwarding rules, or administrator credentials
- New or modified remote management settings enabling WAN-side access to the admin interface
- Unrecognized firmware versions or downgrade events outside scheduled maintenance windows
- Outbound traffic from internal hosts routed through unfamiliar DNS resolvers or VPN endpoints
Detection Strategies
- Monitor LAN traffic to the router management IP for HTTP/HTTPS requests originating from non-administrative hosts, particularly guest network or IoT VLAN clients
- Baseline router configuration state and alert on out-of-band changes to DNS, firewall, or admin account settings
- Inspect router system logs, where available, for administrative actions not tied to authenticated admin sessions
Monitoring Recommendations
- Forward router syslog data to a centralized logging platform and retain configuration snapshots for diff analysis
- Alert on DNS resolution changes on internal clients that suggest router-level DNS hijacking
- Track firmware version inventory across all Orbi devices and flag deviations from the approved patched baseline
How to Mitigate CVE-2026-0405
Immediate Actions Required
- Apply the firmware update referenced in the NETGEAR Security Advisory January 2026 for every affected Orbi or Nighthawk Mesh model in your environment
- Audit existing router configurations for unauthorized DNS, port forwarding, or remote management changes before and after patching
- Rotate the router administrator password and any pre-shared Wi-Fi keys following the update
Patch Information
NETGEAR has released patched firmware for the affected Orbi product lines. Specific fixed firmware versions are listed per model in the vendor advisory and on each product support page, such as the NETGEAR RBR850 Support Page and the NETGEAR RBE973 series support resources. Enable automatic firmware updates where supported to reduce future exposure windows.
Workarounds
- Isolate untrusted clients (guest Wi-Fi, IoT devices, BYOD endpoints) onto a separate VLAN or SSID that cannot reach the router management interface
- Restrict access to the router's web administration interface to a dedicated management host or subnet using access control lists where the device supports it
- Disable remote management from the WAN side until patching is verified across all affected devices
# Verify Orbi firmware version via the local admin interface (example)
# Replace 192.168.1.1 with your router's LAN IP
curl -k -s -o /dev/null -w "%{http_code}\n" https://192.168.1.1/currentsetting.htm
# Network segmentation example: block guest VLAN from reaching the router management IP
# (syntax depends on upstream firewall/switch)
iptables -I FORWARD -i guest0 -d 192.168.1.1 -p tcp --dport 80 -j DROP
iptables -I FORWARD -i guest0 -d 192.168.1.1 -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

