Unrated severityNVD Advisory· Published Jan 28, 2026· Updated Jan 29, 2026

CVE-2022-40619

Description

FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, exposes an HTTP server over the LAN interface of affected devices. This interface is vulnerable to unauthenticated arbitrary command injection through the funjsq_access_token parameter. This affects R6230 before 1.1.0.112, R6260 before 1.1.0.88, R7000 before 1.0.11.134, R8900 before 1.0.5.42, R9000 before 1.0.5.42, and XR300 before 1.0.3.72 and Orbi RBR20 before 2.7.2.26, RBR50 before 2.7.4.26, RBS20 before 2.7.2.26, and RBS50 before 2.7.4.26.

Affected products

NETGEAR/routers and Orbi WiFi Systemsdescription
Netgear/R8900llm-create
Range: <1.0.5.42
Netgear/R9000llm-create
Range: <1.0.5.42
Netgear/XR300llm-create
Range: <1.0.3.72
Netgear/Orbi RBR20llm-create
Range: <2.7.2.26
Netgear/Orbi RBS50llm-create
Range: <2.7.4.26
Netgear/R6230llm-fuzzy
Range: <1.1.0.112
Netgear/R6260llm-fuzzy
Range: <1.1.0.88
Netgear/R7000llm-fuzzy
Range: <1.0.11.134

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000