CVE-2022-40619
📋 TL;DR
This vulnerability allows unauthenticated attackers on the local network to execute arbitrary commands on affected NETGEAR routers and Orbi WiFi systems through the FunJSQ module's HTTP interface. Attackers can gain full control of the device by injecting malicious commands via the funjsq_access_token parameter. Affected devices include specific NETGEAR router models and Orbi WiFi systems running vulnerable firmware versions.
💻 Affected Systems
- NETGEAR R6230
- NETGEAR R6260
- NETGEAR R7000
- NETGEAR R8900
- NETGEAR R9000
- NETGEAR XR300
- Orbi RBR20
- Orbi RBR50
- Orbi RBS20
- Orbi RBS50
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to install persistent malware, intercept all network traffic, pivot to other internal systems, or join the device to a botnet.
Likely Case
Local network attacker gains administrative access to the router, enabling traffic interception, DNS hijacking, credential theft, and network reconnaissance.
If Mitigated
With proper network segmentation and access controls, impact limited to isolated network segments with no critical systems exposed.
🎯 Exploit Status
Exploitation requires only HTTP requests to the vulnerable endpoint with crafted parameters. Public exploit details are available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: R6230: 1.1.0.112+, R6260: 1.1.0.88+, R7000: 1.0.11.134+, R8900: 1.0.5.42+, R9000: 1.0.5.42+, XR300: 1.0.3.72+, Orbi RBR20: 2.7.2.26+, RBR50: 2.7.4.26+, RBS20: 2.7.2.26+, RBS50: 2.7.4.26+
Vendor Advisory: https://kb.netgear.com/000065132/Security-Advisory-for-Vulnerabilities-in-FunJSQ-on-Some-Routers-and-Orbi-WiFi-Systems-PSV-2022-0117
Restart Required: Yes
Instructions:
1. Log into router admin interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install latest firmware. 4. Reboot router after update completes.
🔧 Temporary Workarounds
Disable FunJSQ module
allRemove or disable the vulnerable FunJSQ third-party module if not required
Check router admin interface for FunJSQ/third-party app settings
Network segmentation
allIsolate affected routers from critical internal networks using VLANs or separate physical networks
🧯 If You Can't Patch
- Replace affected devices with patched models or alternative vendors
- Implement strict network access controls to limit LAN-side access to router management interfaces
🔍 How to Verify
Check if Vulnerable:
Check router firmware version via admin interface and compare with patched versions listed in advisoryCheck Version:
Log into router web interface and check Firmware Version in Advanced > AdministrationVerify Fix Applied:
Confirm firmware version matches or exceeds patched versions after update📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests to router management interface
- Unexpected command execution logs
- Failed authentication attempts to FunJSQ endpoints
Network Indicators:
- HTTP POST requests containing shell metacharacters in parameters
- Traffic to unusual ports from internal hosts to router IP
SIEM Query:
source="router_logs" AND (http_uri="*funjsq*" OR http_param="*access_token*") AND (http_method="POST" OR http_status="200")