Input validation error in NETGEAR products - CVE-2025-12946
Published: December 10, 2025
Vulnerability identifier: #VU119796
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-12946
CWE-ID: CWE-20
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: NETGEAR
Affected software:
RS700
RAX54Sv2
RAX41v2
RAX50
RAXE500
RAX41
RAX43
RAX35v2
RAXE450
RAX43v2
RAX42
RAX45
RAX50v2
MR90
MS90
RAX42v2
RAX49S
RAX45v2
RS700
RAX54Sv2
RAX41v2
RAX50
RAXE500
RAX41
RAX43
RAX35v2
RAXE450
RAX43v2
RAX42
RAX45
RAX50v2
MR90
MS90
RAX42v2
RAX49S
RAX45v2
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input in the speedtest feature. A remote attacker on the local network can pass specially crafted input to the application and execute arbitrary commands when speedtests are run.
How to mitigate CVE-2025-12946
Install updates from vendor's website.