CVE-2026-0404 is a vulnerability classified under CWE-20 (Improper Input Validation) found in the NETGEAR Orbi RBRE960 router model. The flaw exists in the DHCPv6 functionality of the device, which, when enabled, fails to properly validate input data. This allows an attacker who is network adjacent and authenticated either over WiFi or on the LAN to perform OS command injection attacks on the router. Command injection vulnerabilities enable attackers to execute arbitrary commands with the privileges of the router’s operating system, potentially leading to full device compromise. DHCPv6 is not enabled by default on these devices, which limits the attack surface. The CVSS 4.0 base score is 4.8 (medium severity), reflecting that the attack vector is adjacent network, attack complexity is low, but privileges are required and no user interaction is needed. The vulnerability affects confidentiality, integrity, and availability of the router, as an attacker could manipulate routing, intercept or disrupt traffic, or use the device as a foothold for further network attacks. There are no known exploits in the wild, and no patches have been published yet. The vulnerability was reserved in December 2025 and published in January 2026. Given the nature of the flaw, it is critical for network administrators to assess the use of DHCPv6 on affected devices and implement compensating controls until a patch is available.

For European organizations, this vulnerability poses a risk primarily to those deploying NETGEAR Orbi RBRE960 routers in environments where DHCPv6 is enabled. Successful exploitation could allow attackers to gain control over the router, leading to interception or manipulation of network traffic, disruption of network services, or pivoting to internal systems. This could impact confidentiality by exposing sensitive data, integrity by altering network configurations or data flows, and availability by causing denial of service. Organizations with critical infrastructure or sensitive data relying on these routers could face operational disruptions or data breaches. Since DHCPv6 is disabled by default, the risk is mitigated if organizations have not enabled this feature. However, environments that require IPv6 support and have enabled DHCPv6 are more vulnerable. The requirement for authenticated network access limits the threat to insiders or attackers who have already breached perimeter defenses, but this still represents a significant risk in enterprise or public WiFi environments. The lack of known exploits reduces immediate risk but does not eliminate the potential for future attacks.

1. Verify if DHCPv6 is enabled on NETGEAR RBRE960 devices; if not required, disable DHCPv6 to eliminate the attack vector. 2. Restrict network access to management interfaces by implementing strong WiFi security (WPA3 if possible) and network segmentation to limit authenticated access to trusted users only. 3. Monitor router logs and network traffic for unusual commands or behavior indicative of exploitation attempts. 4. Apply strict access control lists (ACLs) on LAN and WiFi segments to reduce exposure to potentially malicious devices. 5. Regularly check NETGEAR advisories for patches or firmware updates addressing this vulnerability and apply them promptly once available. 6. Consider deploying network intrusion detection/prevention systems (IDS/IPS) that can detect anomalous DHCPv6 or command injection activity. 7. Educate network administrators about the risks of enabling DHCPv6 without proper validation and the importance of secure router configurations. 8. For environments requiring DHCPv6, consider alternative router models with verified secure implementations or additional security controls such as VPNs to protect management traffic.