CVE-2022-40620
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2022-40620, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-28

Last updated on: 2026-03-09

Assigner: MITRE

Description

FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, does not properly validate TLS certificates when downloading update packages through its auto-update mechanism. An attacker (suitably positioned on the network) could intercept the update request and deliver a malicious update package in order to gain arbitrary code execution on affected devices. This affects R6230 before 1.1.0.112, R6260 before 1.1.0.88, R7000 before 1.0.11.134, R8900 before 1.0.5.42, R9000 before 1.0.5.42, and XR300 before 1.0.3.72 and Orbi RBR20 before 2.7.2.26, RBR50 before 2.7.4.26, RBS20 before 2.7.2.26, and RBS50 before 2.7.4.26.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-28
Last Modified
2026-03-09
Generated
2026-07-06
AI Q&A
2026-01-29
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 10 associated CPEs
Vendor Product Version / Range
netgear rbr20_firmware to 2.7.2.26 (exc)
netgear r6230_firmware to 1.1.0.112 (exc)
netgear r6260_firmware to 1.1.0.88 (exc)
netgear r7000_firmware to 1.0.11.134 (exc)
netgear r8900_firmware to 1.0.5.42 (exc)
netgear r9000_firmware to 1.0.5.42 (exc)
netgear rax120_firmware to 1.2.8.40 (exc)
netgear rax120v2_firmware to 1.2.8.40 (exc)
netgear xr300_firmware to 1.0.3.72 (exc)
netgear rbs20_firmware to 2.7.2.26 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves the FunJSQ module used in some NETGEAR routers and Orbi WiFi Systems. The module does not properly validate TLS certificates when downloading update packages via its auto-update mechanism. This flaw allows an attacker positioned on the network to intercept the update request and deliver a malicious update package, potentially leading to arbitrary code execution on the affected devices.

Impact Analysis

If exploited, this vulnerability can allow an attacker to execute arbitrary code on affected NETGEAR routers or Orbi WiFi Systems. This could lead to unauthorized control over the device, potentially compromising network security, intercepting or manipulating network traffic, or disrupting network services.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-40620. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart