CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-25246
https://notcve.org/view.php?id=CVE-2025-25246
05 Feb 2025 — NETGEAR XR1000 before 1.0.0.74, XR1000v2 before 1.1.0.22, and XR500 before 2.3.2.134 allow remote code execution by unauthenticated users. • https://kb.netgear.com/000066558/Security-Advisory-for-Unauthenticated-RCE-on-Some-WiFi-Routers-PSV-2023-0039 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-34870 – NETGEAR XR1000 UPnP SOAPAction Missing Authentication Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-34870
08 Sep 2021 — This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR XR1000 1.0.0.52_1.0.38 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of SOAP messages. The issue results from a lack of authentication required for a privileged request. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. • https://kb.netgear.com/000063967/Security-Advisory-for-a-Security-Misconfiguration-Vulnerability-on-the-XR1000-PSV-2021-0101 • CWE-306: Missing Authentication for Critical Function •