{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-12946","assignerOrgId":"a2826606-91e7-4eb6-899e-8484bd4575d5","state":"PUBLISHED","assignerShortName":"NETGEAR","dateReserved":"2025-11-10T08:26:32.586Z","datePublished":"2025-12-09T17:02:20.739Z","dateUpdated":"2026-02-26T16:57:03.457Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","modules":["Speedtest"],"product":"RS700","vendor":"NETGEAR","versions":[{"lessThanOrEqual":"1.0.7.82","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"RAX54Sv2","vendor":"NETGEAR","versions":[{"lessThan":"V1.1.6.36","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"RAX41v2","vendor":"NETGEAR","versions":[{"lessThan":"V1.1.6.36","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"RAX50","vendor":"NETGEAR","versions":[{"lessThan":"V1.2.14.114","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"RAXE500","vendor":"NETGEAR","versions":[{"lessThan":"V1.2.14.114","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"RAX41","vendor":"NETGEAR","versions":[{"lessThan":"V1.0.17.142","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"RAX43","vendor":"NETGEAR","versions":[{"lessThan":"V1.0.17.142","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"RAX35v2","vendor":"NETGEAR","versions":[{"lessThan":"V1.0.17.142","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"RAXE450","vendor":"NETGEAR","versions":[{"lessThan":"V1.2.14.114","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"RAX43v2","vendor":"NETGEAR","versions":[{"lessThan":"V1.1.6.36","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"RAX42","vendor":"NETGEAR","versions":[{"lessThan":"V1.0.17.142","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"RAX45","vendor":"NETGEAR","versions":[{"lessThan":"V1.0.17.142","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"RAX50v2","vendor":"NETGEAR","versions":[{"lessThan":"V1.1.6.36","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"MR90","vendor":"NETGEAR","versions":[{"lessThan":"V1.0.2.46","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"RAX42v2","vendor":"NETGEAR","versions":[{"lessThan":"V1.1.6.36","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"RAX49S","vendor":"NETGEAR","versions":[{"lessThan":"V1.1.6.36","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"MS90","vendor":"NETGEAR","versions":[{"lessThan":"V1.0.2.46","status":"affected","version":"0","versionType":"custom"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:h:netgear:rs700:*:*:*:*:*:*:*:*","versionEndIncluding":"1.0.7.82","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:h:netgear:rax54sv2:*:*:*:*:*:*:*:*","versionEndExcluding":"v1.1.6.36","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:h:netgear:rax41v2:*:*:*:*:*:*:*:*","versionEndExcluding":"v1.1.6.36","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:h:netgear:rax50:*:*:*:*:*:*:*:*","versionEndExcluding":"v1.2.14.114","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:h:netgear:raxe500:*:*:*:*:*:*:*:*","versionEndExcluding":"v1.2.14.114","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:h:netgear:rax41:*:*:*:*:*:*:*:*","versionEndExcluding":"v1.0.17.142","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:h:netgear:rax43:*:*:*:*:*:*:*:*","versionEndExcluding":"v1.0.17.142","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:h:netgear:rax35v2:*:*:*:*:*:*:*:*","versionEndExcluding":"v1.0.17.142","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:h:netgear:raxe450:*:*:*:*:*:*:*:*","versionEndExcluding":"v1.2.14.114","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:h:netgear:rax43v2:*:*:*:*:*:*:*:*","versionEndExcluding":"v1.1.6.36","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:h:netgear:rax42:*:*:*:*:*:*:*:*","versionEndExcluding":"v1.0.17.142","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:h:netgear:rax45:*:*:*:*:*:*:*:*","versionEndExcluding":"v1.0.17.142","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:h:netgear:rax50v2:*:*:*:*:*:*:*:*","versionEndExcluding":"v1.1.6.36","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:h:netgear:mr90:*:*:*:*:*:*:*:*","versionEndExcluding":"v1.0.2.46","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:h:netgear:rax42v2:*:*:*:*:*:*:*:*","versionEndExcluding":"v1.1.6.36","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:h:netgear:rax49s:*:*:*:*:*:*:*:*","versionEndExcluding":"v1.1.6.36","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:h:netgear:ms90:*:*:*:*:*:*:*:*","versionEndExcluding":"v1.0.2.46","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"OR"}],"credits":[{"lang":"en","type":"finder","value":"molybdenum"}],"datePublic":"2025-12-09T17:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"

A vulnerability in the speedtest feature of affected NETGEAR Nighthawk routers, caused by improper input validation, can allow attackers on the router's WAN side, using attacker-in-the-middle techniques (MiTM) to manipulate DNS responses and execute commands when speedtests are run.

This issue affects RS700: through 1.0.7.82; RAX54Sv2 : before V1.1.6.36; RAX41v2: before V1.1.6.36; RAX50: before V1.2.14.114; RAXE500: before V1.2.14.114; RAX41: before V1.0.17.142; RAX43: before V1.0.17.142; RAX35v2: before V1.0.17.142; RAXE450: before V1.2.14.114; RAX43v2: before V1.1.6.36; RAX42: before V1.0.17.142; RAX45: before V1.0.17.142; RAX50v2: before V1.1.6.36; MR90: before V1.0.2.46; MS90: before V1.0.2.46; RAX42v2: before V1.1.6.36; RAX49S: before V1.1.6.36.


"}],"value":"A vulnerability in the speedtest feature of affected NETGEAR Nighthawk routers, caused by improper input validation, can allow attackers on the router's WAN side, using attacker-in-the-middle techniques (MiTM) to manipulate DNS responses and execute commands when speedtests are run. \n\n\n\nThis issue affects RS700: through 1.0.7.82; RAX54Sv2 : before V1.1.6.36; RAX41v2: before V1.1.6.36; RAX50: before V1.2.14.114; RAXE500: before V1.2.14.114; RAX41: before V1.0.17.142; RAX43: before V1.0.17.142; RAX35v2: before V1.0.17.142; RAXE450: before V1.2.14.114; RAX43v2: before V1.1.6.36; RAX42: before V1.0.17.142; RAX45: before V1.0.17.142; RAX50v2: before V1.1.6.36; MR90: before V1.0.2.46; MS90: before V1.0.2.46; RAX42v2: before V1.1.6.36; RAX49S: before V1.1.6.36."}],"impacts":[{"capecId":"CAPEC-248","descriptions":[{"lang":"en","value":"CAPEC-248 Command Injection"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NO","Recovery":"AUTOMATIC","Safety":"NEGLIGIBLE","attackComplexity":"HIGH","attackRequirements":"PRESENT","attackVector":"ADJACENT","baseScore":4.4,"baseSeverity":"MEDIUM","exploitMaturity":"UNREPORTED","privilegesRequired":"NONE","providerUrgency":"AMBER","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"ACTIVE","valueDensity":"DIFFUSE","vectorString":"CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/S:N/AU:N/R:A/V:D/RE:M/U:Amber","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"MODERATE"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-20","description":"CWE-20 Improper Input Validation","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"a2826606-91e7-4eb6-899e-8484bd4575d5","shortName":"NETGEAR","dateUpdated":"2025-12-09T19:35:39.538Z"},"references":[{"tags":["product","patch"],"url":"https://www.netgear.com/support/product/rs700"},{"tags":["product","patch"],"url":"https://www.netgear.com/support/product/rax54sv2"},{"tags":["product","patch"],"url":"https://www.netgear.com/support/product/rax41v2"},{"tags":["product","patch"],"url":"https://www.netgear.com/support/product/RAX50"},{"tags":["product","patch"],"url":"https://www.netgear.com/support/product/raxe500"},{"tags":["product","patch"],"url":"https://www.netgear.com/support/product/rax41"},{"tags":["product","patch"],"url":"https://www.netgear.com/support/product/rax43"},{"tags":["product","patch"],"url":"https://www.netgear.com/support/product/rax35v2"},{"tags":["product","patch"],"url":"https://www.netgear.com/support/product/raxe450"},{"tags":["product","patch"],"url":"https://www.netgear.com/support/product/rax43v2"},{"tags":["product","patch"],"url":"https://www.netgear.com/support/product/rax42"},{"tags":["product","patch"],"url":"https://www.netgear.com/support/product/rax45"},{"tags":["product","patch"],"url":"https://www.netgear.com/support/product/rax50v2"},{"tags":["product","patch"],"url":"https://www.netgear.com/support/product/mr90"},{"tags":["product","patch"],"url":"https://www.netgear.com/support/product/ms90"},{"tags":["product","patch"],"url":"https://www.netgear.com/support/product/rax42v2"},{"tags":["product","patch"],"url":"https://www.netgear.com/support/product/rax49s"},{"tags":["vendor-advisory"],"url":"https://kb.netgear.com/000070416/December-2025-NETGEAR-Security-Advisory"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"

Devices with automatic updates enabled may already have\nthis patch applied. If not, please check the firmware version and update it to\nthe latest.
\n
\n

\n\n

Fixed in:

RS700 firmware V1.0.9.6 or later

RAX54Sv2/RAX45v2 firmware V1.1.6.36 or later

RAX41v2 firmware V1.1.6.36 or later

RAX50 firmware V1.2.14.114 or later

RAXE500 firmware V1.2.14.114 or later

RAX41 firmware V1.0.17.142 or later

RAX43 firmware V1.0.17.142 or later

RAX35v2 firmware V1.0.17.142 or later

RAXE450 firmware V1.0.17.142 or later

RAX43v2 firmware V1.1.6.36 or later

RAX42 firmware V1.0.17.142 or later

RAX45 firmware V1.0.17.142 or later

RAX50v2 firmware V1.1.6.36 or later

MR90 firmware V1.0.2.46 or later

MS90 firmware V1.0.2.46 or later

RAX42v2 firmware V1.1.6.36 or later

RAX49S firmware V1.1.6.36 or later

"}],"value":"Devices with automatic updates enabled may already have\nthis patch applied. If not, please check the firmware version and update it to\nthe latest.\n\n\n\n\n\n\n\nFixed in:\n\nRS700 firmware V1.0.9.6 or later\n\nRAX54Sv2/RAX45v2  firmware V1.1.6.36 or later https://www.netgear.com/support/product/rax54sv2 \n\nRAX41v2  firmware V1.1.6.36 or later https://www.netgear.com/support/product/rax41v2 \n\nRAX50  firmware V1.2.14.114 or later https://www.netgear.com/support/product/RAX50 \n\nRAXE500  firmware V1.2.14.114 or later https://www.netgear.com/support/product/raxe500 \n\nRAX41 firmware V1.0.17.142 or later https://www.netgear.com/support/product/rax41 \n\nRAX43 firmware V1.0.17.142 or later https://www.netgear.com/support/product/rax43 \n\nRAX35v2 firmware V1.0.17.142 or later https://www.netgear.com/support/product/RAX35v2 \n\nRAXE450 firmware V1.0.17.142 or later https://www.netgear.com/support/product/RAXE450 \n\nRAX43v2 firmware V1.1.6.36 or later https://www.netgear.com/support/product/RAX43v2 \n\nRAX42 firmware V1.0.17.142 or later https://www.netgear.com/support/product/RAX42 \n\nRAX45  firmware V1.0.17.142 or later https://www.netgear.com/support/product/RAX45 \n\nRAX50v2 firmware V1.1.6.36 or later https://www.netgear.com/support/product/RAX50v2 \n\nMR90 firmware V1.0.2.46 or later https://www.netgear.com/support/product/MR90 \n\nMS90 firmware V1.0.2.46 or later https://www.netgear.com/support/product/MS90 \n\nRAX42v2 firmware V1.1.6.36 or later https://www.netgear.com/support/product/RAX42v2 \n\nRAX49S firmware V1.1.6.36 or later https://www.netgear.com/support/product/RAX42v2"}],"source":{"discovery":"UNKNOWN"},"timeline":[{"lang":"en","time":"2025-12-09T16:00:00.000Z","value":"published"}],"title":"Improper input validation in NETGEAR Nighthawk routers","x_generator":{"engine":"Vulnogram 0.5.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2025-12946","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-12-10T04:57:23.602151Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-26T16:57:03.457Z"}}]}}