CVE-2022-40619

Published: Jan 28, 2026Modified: Mar 9, 2026

7.7

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

Exploitability: 2.2 / Impact: 5.5

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, exposes an HTTP server over the LAN interface of affected devices. This interface is vulnerable to unauthenticated arbitrary command injection through the funjsq_access_token parameter. This affects R6230 before 1.1.0.112, R6260 before 1.1.0.88, R7000 before 1.0.11.134, R8900 before 1.0.5.42, R9000 before 1.0.5.42, and XR300 before 1.0.3.72 and Orbi RBR20 before 2.7.2.26, RBR50 before 2.7.4.26, RBS20 before 2.7.2.26, and RBS50 before 2.7.4.26.

Affected (10)

Products: Netgear: Rbr20 Firmware, R6230 Firmware, R6260 Firmware, R7000 Firmware, R8900 Firmware, R9000 Firmware, Rax120 Firmware, Rax120v2 Firmware, Xr300 Firmware, Rbs20 Firmware

10 products

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netgear Rbr20 Firmware	Before 2.7.2.26

Running on/with	Platform Versions
Netgear Rbr20	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netgear R6230 Firmware	Before 1.1.0.112

Running on/with	Platform Versions
Netgear R6230	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netgear R6260 Firmware	Before 1.1.0.88

Running on/with	Platform Versions
Netgear R6260	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netgear R7000 Firmware	Before 1.0.11.134

Running on/with	Platform Versions
Netgear R7000	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netgear R8900 Firmware	Before 1.0.5.42

Running on/with	Platform Versions
Netgear R8900	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netgear R9000 Firmware	Before 1.0.5.42

Running on/with	Platform Versions
Netgear R9000	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netgear Rax120 Firmware	Before 1.2.8.40

Running on/with	Platform Versions
Netgear Rax120	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netgear Rax120v2 Firmware	Before 1.2.8.40

Running on/with	Platform Versions
Netgear Rax120v2	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netgear Xr300 Firmware	Before 1.0.3.72

Running on/with	Platform Versions
Netgear Xr300	All versions

Configuration J

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netgear Rbs20 Firmware	Before 2.7.2.26

Running on/with	Platform Versions
Netgear Rbs20	All versions

Related CWEs

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (2)

https://kb.netgear.com/000065132/Security-Advisory-for-Vulnerabilities-in-FunJSQ-on-Some-Routers-and-Orbi-WiFi-Systems-PSV-2022-0117

Source: cve@mitre.org

Vendor Advisory

https://www.onekey.com/resource/security-advisory-netgear-routers-funjsq-vulnerabilities

Source: cve@mitre.org

ExploitThird Party Advisory

Timeline

No history available yet.