CVE-2022-40619

Jan. 29, 2026, 7:16 p.m.

7.7
High

Description

FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, exposes an HTTP server over the LAN interface of affected devices. This interface is vulnerable to unauthenticated arbitrary command injection through the funjsq_access_token parameter. This affects R6230 before 1.1.0.112, R6260 before 1.1.0.88, R7000 before 1.0.11.134, R8900 before 1.0.5.42, R9000 before 1.0.5.42, and XR300 before 1.0.3.72 and Orbi RBR20 before 2.7.2.26, RBR50 before 2.7.4.26, RBS20 before 2.7.2.26, and RBS50 before 2.7.4.26.

Product(s) Impacted

Vendor Product Versions
Netgear
  • R6230
  • R6260
  • R7000
  • R8900
  • R9000
  • Xr300
  • Rbr20
  • Rbr50
  • Rbs20
  • Rbs50
  • *
  • *
  • *
  • *
  • *
  • *
  • *
  • *
  • *
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a netgear r6230 / / / / / / / /
a netgear r6260 / / / / / / / /
a netgear r7000 / / / / / / / /
a netgear r8900 / / / / / / / /
a netgear r9000 / / / / / / / /
a netgear xr300 / / / / / / / /
a netgear rbr20 / / / / / / / /
a netgear rbr50 / / / / / / / /
a netgear rbs20 / / / / / / / /
a netgear rbs50 / / / / / / / /

References

https://kb.netgear.com/000065132/Security-Advisory-for-Vulnerabilities-in-FunJSQ-on-Some-Routers-and-Orbi-WiFi-Systems-PSV-2022-0117
https://www.onekey.com/resource/security-advisory-netgear-routers-funjsq-vulnerabilities

Tags

[email protected]
CWE-77
CVE-2022-40619
2026-01-28

CVSS Score

7.7 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: LOW

    • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

    View Vector String

Timeline

Published: Jan. 28, 2026, 7:16 p.m.
Last Modified: Jan. 29, 2026, 7:16 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

[email protected]

Relations

Here is the list of observables linked to the vulnerability CVE-2022-40619 using threat intelligence.

  • RondoDox
  • Mirai
  • RondoDoX

Linked Attack Reports

Tracking RondoDox: Malware Exploiting Many IoT Vulnerabilities

A new threat actor is distributing the RondoDox malware, a variant of Mirai, targeting IoT devices. The actor uses residential IP addresses for distribution and employs over a dozen exploits to target various IoT vulnerabilities. The malware's first stage is a shell script that attempts to disable …
command injection
iot
botnet
mirai
multi-platform
CVE-2024-10914
CVE-2023-1389
CVE-2025-4008
CVE-2024-3721
CVE-2025-34043
rondodox
CVE-2025-9528
CVE-2013-1599
CVE-2022-36553
CVE-2020-10987
2025-11-26
shell script
residential infrastructure
mirai variant
CVE-2020-9054
CVE-2023-23333
CVE-2014-3206
CVE-2023-41011
CVE-2022-40619
Published: November 26, 2025
Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8), CVE-2024-10914 (CVSS 8.1), CVE-2022-42475, CVE-2017-9841, CVE-2023-23333, CVE-2019-9082, CVE-2023-1389, CVE-2025-31324 (CVSS 10.0), CVE-2025-4008 (CVSS 9.4), CVE-2024-3721, CVE-2025-34043 (CVSS 10.0), CVE-2025-9528 (CVSS 5.1), CVE-2013-1599, CVE-2022-36553, CVE-2020-10987, CVE-2023-41011, CVE-2022-40619 (CVSS 7.7), CVE-2022-24847, CVE-2020-8958, CVE-2014-3206, CVE-2023-1381, CVE-2022-22947, CVE-2020-9054
Downloadable IOCs: 26

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.