Login Sign Up

CVE-2026-0408

8.0 HIGH
Authentication Bypass Path Traversal

📋 TL;DR

A path traversal vulnerability in NETGEAR WiFi range extenders allows authenticated LAN attackers to access sensitive webproc files containing router GUI credentials. This affects users of specific NETGEAR range extender models who have not applied security patches. Attackers can potentially steal administrative credentials for the router interface.

💻 Affected Systems

Products:
  • NETGEAR EX2800
  • NETGEAR EX3110
  • NETGEAR EX5000
  • NETGEAR EX6110
Versions: Specific firmware versions not specified in advisory, check NETGEAR support pages for affected versions
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker to have LAN authentication (network access)

📦 What is this software?

Ex2800 Firmware by Netgear

View all CVEs affecting Ex2800 Firmware →

Ex3110 Firmware by Netgear

View all CVEs affecting Ex3110 Firmware →

Ex5000 Firmware by Netgear

View all CVEs affecting Ex5000 Firmware →

Ex6110 Firmware by Netgear

View all CVEs affecting Ex6110 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains administrative access to router, can reconfigure network settings, intercept traffic, install malware, or pivot to other devices on the network.

🟠

Likely Case

Attacker steals router admin credentials, potentially gaining persistent access to network management interface and monitoring network traffic.

🟢

If Mitigated

With proper network segmentation and access controls, impact limited to isolated range extender management interface only.

🌐 Internet-Facing: LOW (requires LAN access, not directly internet exploitable)
🏢 Internal Only: HIGH (exploitable by any authenticated LAN user)

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires LAN access and knowledge of path traversal techniques to access webproc files

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check specific model firmware updates on NETGEAR support pages

Vendor Advisory: https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory

Restart Required: Yes

Instructions:

1. Visit NETGEAR support page for your specific model. 2. Download latest firmware. 3. Log into range extender admin interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Device will restart automatically.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate range extenders on separate VLAN to limit lateral movement

Access Control

all

Restrict LAN access to range extender management interface to trusted devices only

🧯 If You Can't Patch

  • Segment range extenders on isolated network/VLAN
  • Change router admin credentials regularly and monitor for unauthorized access

🔍 How to Verify

Check if Vulnerable:

Check firmware version against NETGEAR advisory for your specific model

Check Version:

Log into range extender admin interface and check firmware version in settings

Verify Fix Applied:

Verify firmware version has been updated to latest version from NETGEAR support

📡 Detection & Monitoring

Log Indicators:

  • Unusual access to webproc files
  • Multiple failed login attempts to router admin interface
  • Unexpected firmware version changes

Network Indicators:

  • Unusual HTTP requests to range extender management interface with path traversal patterns

SIEM Query:

source="range_extender_logs" AND (uri="*webproc*" OR uri="*../*")

📊 Metadata

CVE ID: CVE-2026-0408
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287
EPSS Score: 0.12% exploit probability (31th percentile)
Published: January 13, 2026
Last Updated: February 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0408, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)