CVE-2025-12946 - Vulnerability Details

A vulnerability in the speedtest feature of affected NETGEAR Nighthawk routers, caused by improper input validation, can allow attackers on the router's WAN side, using attacker-in-the-middle techniques (MiTM) to manipulate DNS responses and execute commands when speedtests are run. This issue affects RS700: through 1.0.7.82; RAX54Sv2 : before V1.1.6.36; RAX41v2: before V1.1.6.36; RAX50: before V1.2.14.114; RAXE500: before V1.2.14.114; RAX41: before V1.0.17.142; RAX43: before V1.0.17.142; RAX35v2: before V1.0.17.142; RAXE450: before V1.2.14.114; RAX43v2: before V1.1.6.36; RAX42: before V1.0.17.142; RAX45: before V1.0.17.142; RAX50v2: before V1.1.6.36; MR90: before V1.0.2.46; MS90: before V1.0.2.46; RAX42v2: before V1.1.6.36; RAX49S: before V1.1.6.36.

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Netgear	Mr90 Mr90 Firmware Ms90 Ms90 Firmware Rax35v2 Rax35v2 Firmware Rax41 Rax41 Firmware Rax41v2 Rax41v2 Firmware Rax42 Rax42 Firmware Rax42v2 Rax42v2 Firmware Rax43 Rax43 Firmware Rax43v2 Rax43v2 Firmware Rax45 Rax45 Firmware Rax45v2 Rax45v2 Firmware Rax49s Rax49s Firmware Rax50 Rax50 Firmware Rax50v2 Rax50v2 Firmware Rax54sv2 Rax54sv2 Firmware Raxe450 Raxe450 Firmware Raxe500 Raxe500 Firmware Rs700 Rs700 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:netgear:rs700_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rs700:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:netgear:rax54sv2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rax54sv2:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:netgear:rax45v2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rax45v2:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:netgear:rax41v2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rax41v2:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:netgear:rax50_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rax50:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:netgear:raxe500_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:raxe500:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:netgear:rax41_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rax41:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:netgear:rax43_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rax43:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:netgear:rax35v2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rax35v2:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:o:netgear:raxe450_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:raxe450:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:o:netgear:rax43v2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rax43v2:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:o:netgear:rax42_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rax42:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND

cpe:2.3:o:netgear:rax45_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rax45:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND

cpe:2.3:o:netgear:rax50v2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rax50v2:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND

cpe:2.3:o:netgear:mr90_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:mr90:-:*:*:*:*:*:*:*

Configuration 16 [-]

AND

cpe:2.3:o:netgear:ms90_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:ms90:-:*:*:*:*:*:*:*

Configuration 17 [-]

AND

cpe:2.3:o:netgear:rax42v2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rax42v2:-:*:*:*:*:*:*:*

Configuration 18 [-]

AND

cpe:2.3:o:netgear:rax49s_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rax49s:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://kb.netgear.com/000070416/December-2025-NETGEAR-Security-Advisory
https://www.netgear.com/support/product/RAX50
https://www.netgear.com/support/product/mr90
https://www.netgear.com/support/product/ms90
https://www.netgear.com/support/product/rax35v2
https://www.netgear.com/support/product/rax41
https://www.netgear.com/support/product/rax41v2
https://www.netgear.com/support/product/rax42
https://www.netgear.com/support/product/rax42v2
https://www.netgear.com/support/product/rax43
https://www.netgear.com/support/product/rax43v2
https://www.netgear.com/support/product/rax45
https://www.netgear.com/support/product/rax49s
https://www.netgear.com/support/product/rax50v2
https://www.netgear.com/support/product/rax54sv2
https://www.netgear.com/support/product/raxe450
https://www.netgear.com/support/product/raxe500
https://www.netgear.com/support/product/rs700

History

Wed, 21 Jan 2026 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Netgear mr90 Firmware Netgear ms90 Firmware Netgear rax35v2 Firmware Netgear rax41 Firmware Netgear rax41v2 Firmware Netgear rax42 Firmware Netgear rax42v2 Firmware Netgear rax43 Firmware Netgear rax43v2 Firmware Netgear rax45 Firmware Netgear rax45v2 Netgear rax45v2 Firmware Netgear rax49s Firmware Netgear rax50 Firmware Netgear rax50v2 Firmware Netgear rax54sv2 Firmware Netgear raxe450 Firmware Netgear raxe500 Firmware Netgear rs700 Firmware
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:h:netgear:mr90:-:::::::* cpe:2.3:h:netgear:ms90:-:::::::* cpe:2.3:h:netgear:rax35v2:-:::::::* cpe:2.3:h:netgear:rax41:-:::::::* cpe:2.3:h:netgear:rax41v2:-:::::::* cpe:2.3:h:netgear:rax42:-:::::::* cpe:2.3:h:netgear:rax42v2:-:::::::* cpe:2.3:h:netgear:rax43:-:::::::* cpe:2.3:h:netgear:rax43v2:-:::::::* cpe:2.3:h:netgear:rax45:-:::::::* cpe:2.3:h:netgear:rax45v2:-:::::::* cpe:2.3:h:netgear:rax49s:-:::::::* cpe:2.3:h:netgear:rax50:-:::::::* cpe:2.3:h:netgear:rax50v2:-:::::::* cpe:2.3:h:netgear:rax54sv2:-:::::::* cpe:2.3:h:netgear:raxe450:-:::::::* cpe:2.3:h:netgear:raxe500:-:::::::* cpe:2.3:h:netgear:rs700:-:::::::* cpe:2.3:o:netgear:mr90_firmware:::::::: cpe:2.3:o:netgear:ms90_firmware:::::::: cpe:2.3:o:netgear:rax35v2_firmware:::::::: cpe:2.3:o:netgear:rax41_firmware:::::::: cpe:2.3:o:netgear:rax41v2_firmware:::::::: cpe:2.3:o:netgear:rax42_firmware:::::::: cpe:2.3:o:netgear:rax42v2_firmware:::::::: cpe:2.3:o:netgear:rax43_firmware:::::::: cpe:2.3:o:netgear:rax43v2_firmware:::::::: cpe:2.3:o:netgear:rax45_firmware:::::::: cpe:2.3:o:netgear:rax45v2_firmware:::::::: cpe:2.3:o:netgear:rax49s_firmware:::::::: cpe:2.3:o:netgear:rax50_firmware:::::::: cpe:2.3:o:netgear:rax50v2_firmware:::::::: cpe:2.3:o:netgear:rax54sv2_firmware:::::::: cpe:2.3:o:netgear:raxe450_firmware:::::::: cpe:2.3:o:netgear:raxe500_firmware:::::::: cpe:2.3:o:netgear:rs700_firmware::::::::
Vendors & Products		Netgear mr90 Firmware Netgear ms90 Firmware Netgear rax35v2 Firmware Netgear rax41 Firmware Netgear rax41v2 Firmware Netgear rax42 Firmware Netgear rax42v2 Firmware Netgear rax43 Firmware Netgear rax43v2 Firmware Netgear rax45 Firmware Netgear rax45v2 Netgear rax45v2 Firmware Netgear rax49s Firmware Netgear rax50 Firmware Netgear rax50v2 Firmware Netgear rax54sv2 Firmware Netgear raxe450 Firmware Netgear raxe500 Firmware Netgear rs700 Firmware
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Tue, 09 Dec 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 09 Dec 2025 19:45:00 +0000

Type	Values Removed	Values Added
References		https://kb.netgear.com/000070416/December-2025-NETGEAR-Security-Advisory

Tue, 09 Dec 2025 18:30:00 +0000

Type	Values Removed	Values Added
References	https://kb.netgear.com/000070355/NETGEAR-Security-Advisories-December-2025

Tue, 09 Dec 2025 17:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in the speedtest feature of affected NETGEAR Nighthawk routers, caused by improper input validation, can allow attackers on the router's WAN side, using attacker-in-the-middle techniques (MiTM) to manipulate DNS responses and execute commands when speedtests are run. This issue affects RS700: through 1.0.7.82; RAX54Sv2 : before V1.1.6.36; RAX41v2: before V1.1.6.36; RAX50: before V1.2.14.114; RAXE500: before V1.2.14.114; RAX41: before V1.0.17.142; RAX43: before V1.0.17.142; RAX35v2: before V1.0.17.142; RAXE450: before V1.2.14.114; RAX43v2: before V1.1.6.36; RAX42: before V1.0.17.142; RAX45: before V1.0.17.142; RAX50v2: before V1.1.6.36; MR90: before V1.0.2.46; MS90: before V1.0.2.46; RAX42v2: before V1.1.6.36; RAX49S: before V1.1.6.36.
Title		Improper input validation in NETGEAR Nighthawk routers
First Time appeared		Netgear Netgear mr90 Netgear ms90 Netgear rax35v2 Netgear rax41 Netgear rax41v2 Netgear rax42 Netgear rax42v2 Netgear rax43 Netgear rax43v2 Netgear rax45 Netgear rax49s Netgear rax50 Netgear rax50v2 Netgear rax54sv2 Netgear raxe450 Netgear raxe500 Netgear rs700
Weaknesses		CWE-20
CPEs		cpe:2.3:h:netgear:mr90:::::::: cpe:2.3:h:netgear:ms90:::::::: cpe:2.3:h:netgear:rax35v2:::::::: cpe:2.3:h:netgear:rax41:::::::: cpe:2.3:h:netgear:rax41v2:::::::: cpe:2.3:h:netgear:rax42:::::::: cpe:2.3:h:netgear:rax42v2:::::::: cpe:2.3:h:netgear:rax43:::::::: cpe:2.3:h:netgear:rax43v2:::::::: cpe:2.3:h:netgear:rax45:::::::: cpe:2.3:h:netgear:rax49s:::::::: cpe:2.3:h:netgear:rax50:::::::: cpe:2.3:h:netgear:rax50v2:::::::: cpe:2.3:h:netgear:rax54sv2:::::::: cpe:2.3:h:netgear:raxe450:::::::: cpe:2.3:h:netgear:raxe500:::::::: cpe:2.3:h:netgear:rs700::::::::
Vendors & Products		Netgear Netgear mr90 Netgear ms90 Netgear rax35v2 Netgear rax41 Netgear rax41v2 Netgear rax42 Netgear rax42v2 Netgear rax43 Netgear rax43v2 Netgear rax45 Netgear rax49s Netgear rax50 Netgear rax50v2 Netgear rax54sv2 Netgear raxe450 Netgear raxe500 Netgear rs700
References		https://kb.netgear.com/000070355/NETGEAR-Security-Advisories-December-2025 https://www.netgear.com/support/product/RAX50 https://www.netgear.com/support/product/mr90 https://www.netgear.com/support/product/ms90 https://www.netgear.com/support/product/rax35v2 https://www.netgear.com/support/product/rax41 https://www.netgear.com/support/product/rax41v2 https://www.netgear.com/support/product/rax42 https://www.netgear.com/support/product/rax42v2 https://www.netgear.com/support/product/rax43 https://www.netgear.com/support/product/rax43v2 https://www.netgear.com/support/product/rax45 https://www.netgear.com/support/product/rax49s https://www.netgear.com/support/product/rax50v2 https://www.netgear.com/support/product/rax54sv2 https://www.netgear.com/support/product/raxe450 https://www.netgear.com/support/product/raxe500 https://www.netgear.com/support/product/rs700
Metrics		cvssV4_0 `{'score': 4.4, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/S:N/AU:N/R:A/V:D/RE:M/U:Amber'}`

MITRE

Status: PUBLISHED

Assigner: NETGEAR

Published: 2025-12-09T17:02:20.739Z

Updated: 2025-12-10T04:57:22.798Z

Reserved: 2025-11-10T08:26:32.586Z

Link: CVE-2025-12946

Vulnrichment

Updated: 2025-12-09T20:22:16.677Z

NVD

Status : Analyzed

Published: 2025-12-09T17:15:48.820

Modified: 2026-01-21T19:29:14.017

Link: CVE-2025-12946

Redhat

No data.

Metrics

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object