CVE-2022-40619

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-40619
FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, exposes an HTTP server over the LAN interface of affected devices. This interface is vulnerable to unauthenticated arbitrary command injection through the funjsq_access_token parameter. This affects R6230 before 1.1.0.112, R6260 before 1.1.0.88, R7000 before 1.0.11.134, R8900 before 1.0.5.42, R9000 before 1.0.5.42, and XR300 before 1.0.3.72 and Orbi RBR20 before 2.7.2.26, RBR50 before 2.7.4.26, RBS20 before 2.7.2.26, and RBS50 before 2.7.4.26.

7.7 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://kb.netgear.com/000065132/Security-Advisory-for-Vulnerabilities-in-FunJSQ-on-Some-Routers-and-Orbi-WiFi-Systems-PSV-2022-0117 Vendor Advisory
https://www.onekey.com/resource/security-advisory-netgear-routers-funjsq-vulnerabilities Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:netgear:rbr20_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbr20:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:netgear:r6230_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:r6230:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:netgear:r6260_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:r6260:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:netgear:r7000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:r7000:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:netgear:r8900_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:r8900:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:netgear:r9000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:r9000:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:netgear:rax120_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rax120:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:netgear:rax120v2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rax120v2:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:netgear:xr300_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:xr300:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:netgear:rbs20_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbs20:-:*:*:*:*:*:*:*
History

09 Mar 2026, 14:43

Type Values Removed Values Added
Summary
  • (es) FunJSQ, un módulo de terceros integrado en algunos routers NETGEAR y sistemas WiFi Orbi, expone un servidor HTTP a través de la interfaz LAN de los dispositivos afectados. Esta interfaz es vulnerable a la inyección de comandos arbitrarios no autenticada a través del parámetro funjsq_access_token. Esto afecta a los R6230 anteriores a 1.1.0.112, R6260 anteriores a 1.1.0.88, R7000 anteriores a 1.0.11.134, R8900 anteriores a 1.0.5.42, R9000 anteriores a 1.0.5.42, y XR300 anteriores a 1.0.3.72 y a los Orbi RBR20 anteriores a 2.7.2.26, RBR50 anteriores a 2.7.4.26, RBS20 anteriores a 2.7.2.26, y RBS50 anteriores a 2.7.4.26.
First Time Netgear r6230
Netgear r9000
Netgear r6260
Netgear rax120
Netgear rbs20 Firmware
Netgear r6230 Firmware
Netgear xr300 Firmware
Netgear
Netgear rbr20
Netgear r7000
Netgear rax120v2
Netgear r6260 Firmware
Netgear r8900
Netgear rbr20 Firmware
Netgear r7000 Firmware
Netgear rax120 Firmware
Netgear rax120v2 Firmware
Netgear r8900 Firmware
Netgear xr300
Netgear rbs20
Netgear r9000 Firmware
CPE cpe:2.3:o:netgear:r7000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:r9000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:r6260:-:*:*:*:*:*:*:*
cpe:2.3:h:netgear:r9000:-:*:*:*:*:*:*:*
cpe:2.3:o:netgear:r6260_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:r6230:-:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rax120v2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rax120v2:-:*:*:*:*:*:*:*
cpe:2.3:h:netgear:r8900:-:*:*:*:*:*:*:*
cpe:2.3:o:netgear:r8900_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rax120:-:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbs20:-:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbs20_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:r7000:-:*:*:*:*:*:*:*
cpe:2.3:h:netgear:xr300:-:*:*:*:*:*:*:*
cpe:2.3:o:netgear:r6230_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbr20_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rax120_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:xr300_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbr20:-:*:*:*:*:*:*:*
References () https://kb.netgear.com/000065132/Security-Advisory-for-Vulnerabilities-in-FunJSQ-on-Some-Routers-and-Orbi-WiFi-Systems-PSV-2022-0117 - () https://kb.netgear.com/000065132/Security-Advisory-for-Vulnerabilities-in-FunJSQ-on-Some-Routers-and-Orbi-WiFi-Systems-PSV-2022-0117 - Vendor Advisory
References () https://www.onekey.com/resource/security-advisory-netgear-routers-funjsq-vulnerabilities - () https://www.onekey.com/resource/security-advisory-netgear-routers-funjsq-vulnerabilities - Exploit, Third Party Advisory

29 Jan 2026, 19:16

Type Values Removed Values Added
CWE CWE-77
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.7

28 Jan 2026, 19:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-01-28 19:16

Updated : 2026-03-09 14:43

NVD link : CVE-2022-40619

Mitre link : CVE-2022-40619

CVE.ORG link : CVE-2022-40619

JSON object : View

Products Affected

netgear

  • rbs20_firmware
  • xr300_firmware
  • r8900_firmware
  • rbs20
  • r6230
  • r6260_firmware
  • r9000
  • r6260
  • r7000
  • rbr20
  • rax120
  • rax120v2_firmware
  • rbr20_firmware
  • r8900
  • rax120_firmware
  • r7000_firmware
  • r9000_firmware
  • xr300
  • rax120v2
  • r6230_firmware
CWE
CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')