Volerion logoVolerion
Volerion logoVolerion

NETGEAR Routers and Orbi WiFi Systems FunJSQ Vulnerability Allowing Unauthenticated Command Injection

Vulnerability

A vulnerability in the FunJSQ module, integrated into certain NETGEAR routers and Orbi WiFi systems, allows for unauthenticated arbitrary command injection via the funjsq_access_token parameter. This issue affects several router models, including the R6230, R6260, R7000, R8900, R9000, and XR300, as well as various Orbi models. The vulnerability arises from the HTTP server exposed over the LAN interface, which can be exploited by injecting commands that are executed with root privileges.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device, with the executed commands running as the root user.

Reproduction

To reproduce this vulnerability, send a request to the funjsq_httpd HTTP server on the device's LAN interface. Include the funjsq_access_token parameter, which can be generated using a hardcoded string and the device's MAC address. The injected command will be executed and can be verified by checking the device's response or logs.

Remediation

NETGEAR has released firmware updates for all affected products. Users should update to the latest firmware version available for their device model.

Added: Jan 28, 2026, 7:34 PM
Updated: Jan 28, 2026, 7:34 PM

Vulnerability Rating

Custom Algorithm
spread
8.1
impact
7.5
exploitability
5.5
remediation
0.0
relevance
2.4
threat
4.9
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.