Main Vulnerability Database SB20251210168

SB20251210168 - Remote command execution in NETGEAR Nighthawk routers

Published: December 10, 2025

Security Bulletin ID SB20251210168

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Adjecent network

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Input validation error (CVE-ID: CVE-2025-12946)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insufficient validation of user-supplied input in the speedtest feature. A remote attacker on the local network can pass specially crafted input to the application and execute arbitrary commands when speedtests are run.

Remediation

Install update from vendor's website.

References

https://kb.netgear.com/000070416/December-2025-NETGEAR-Security-Advisory

Vulnerable Software

RS700: 1.0.7.82 and previous versions
RAX54Sv2: before 1.1.6.36
RAX41v2: before 1.1.6.36
RAX50: before 1.2.14.114
RAXE500: before 1.2.14.114
RAX41: before 1.0.17.142
RAX43: before 1.0.17.142
RAX35v2: before 1.0.17.142
RAXE450: before 1.2.14.114
RAX43v2: before 1.1.6.36
RAX42: before 1.0.17.142
RAX45: before 1.0.17.142
RAX50v2: before 1.1.6.36
MR90: before 1.0.2.46
MS90: before 1.0.2.46
RAX42v2: before 1.1.6.36
RAX49S: before 1.1.6.36
RAX45v2: before 1.1.6.36

SB20251210168 - Remote command execution in NETGEAR Nighthawk routers

Breakdown by Severity

Description

Remediation

References

Please verify you're human