Description
NetComm NF20MESH routers running firmware R6B031 and earlier contain an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands as root by injecting shell metacharacters into the username JSON parameter processed by the dalStorage_addUserAccount function. Attackers can exploit the unsafe concatenation of user-supplied input into a shell command string passed to rut_doSystemAction without sanitization to achieve full root-level command execution on the underlying operating system.
Published: 2026-06-23
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when NetComm NF20MESH routers process the username field of a JSON payload in the dalStorage_addUserAccount endpoint. The username string is concatenated raw into a shell command that is executed by rut_doSystemAction, creating an OS command injection flaw. Attackers who possess administrative credentials can inject shell metacharacters into this field and cause the router to execute arbitrary commands as root, fully compromising the host operating system.

Affected Systems

The flaw affects NetComm Wireless Pty Ltd’s NF20MESH routers running firmware R6B031 and all earlier releases. Firmware R6B032 or later has not been confirmed as vulnerable according to the advisory; the lack of confirmation for R6B032 is inferred from missing data in the source documentation.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability that is difficult to exploit under normal conditions. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been reported. Because the flaw requires valid administrative credentials to access the management interface, an attacker must first authenticate. Once authenticated and the exploit is delivered, the attacker achieves full root‑level control of the device, enabling arbitrary command execution.

Generated by OpenCVE AI on June 24, 2026 at 11:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device firmware to a version that removes the command injection flaw, such as firmware releases R6B032 or newer if confirmed safe by the vendor.
  • Restrict access to the router’s administration interface by limiting it to trusted hosts, implementing network segmentation or VLAN isolation, and enforcing strong, unique authentication credentials.
  • Enable comprehensive logging for system activity and monitor logs for unexpected shell or command‑line actions, watching for anomalous requests to the dalStorage_addUserAccount endpoint.

Generated by OpenCVE AI on June 24, 2026 at 11:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Netcommwireless
Netcommwireless nf20mesh
Vendors & Products Netcommwireless
Netcommwireless nf20mesh

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description NetComm NF20MESH routers running firmware R6B031 and earlier contain an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands as root by injecting shell metacharacters into the username JSON parameter processed by the dalStorage_addUserAccount function. Attackers can exploit the unsafe concatenation of user-supplied input into a shell command string passed to rut_doSystemAction without sanitization to achieve full root-level command execution on the underlying operating system.
Title NetComm NF20MESH < R6B032 Authenticated RCE via OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Netcommwireless Nf20mesh
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-24T15:04:56.659Z

Reserved: 2026-03-31T20:40:15.618Z

Link: CVE-2026-35018

cve-icon Vulnrichment

Updated: 2026-06-24T15:04:14.979Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:06:06Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')