Description
NetComm NF20MESH routers running firmware R6B031 and earlier contain an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands as root by injecting shell metacharacters into the username JSON parameter processed by the dalStorage_addUserAccount function. Attackers can exploit the unsafe concatenation of user-supplied input into a shell command string passed to rut_doSystemAction without sanitization to achieve full root-level command execution on the underlying operating system.
Published: 2026-06-23
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NetComm NF20MESH routers running firmware releases R6B031 and earlier are vulnerable to an authenticated remote code execution flaw. An attacker who has valid credentials can send a crafted JSON payload that injects shell metacharacters into the username field processed by the dalStorage_addUserAccount function. Because the username is concatenated into a shell command passed to rut_doSystemAction without sanitization, the attacker can execute arbitrary commands as the root user on the underlying operating system. The vulnerability is a classic OS command injection (CWE‑78) that allows injection of arbitrary shell commands.

Affected Systems

The flaw affects NetComm Wireless Pty Ltd’s NF20MESH router. Firmware versions R6B031 and all earlier releases are impacted; firmware R6B032 or later is not confirmed to be affected but is not indicated as vulnerable in the input.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability. No EPSS score is publicly available, and the issue is not listed in the CISA KEV catalog, suggesting limited known exploit activity. Exposing the management interface, an attacker must first authenticate and then dispatch a malicious JSON request to trigger the unvalidated shell command. If successful, the attacker gains full root‑level control of the device’s operating system, enabling arbitrary code execution, data exfiltration, or further network attacks.

Generated by OpenCVE AI on June 23, 2026 at 23:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest NetComm firmware (R6B032 or later) to eliminate the vulnerable code path.
  • If a firmware upgrade cannot be performed immediately, restrict access to the router’s administration interface to trusted hosts or VLANs and enforce strong authentication mechanisms.
  • Monitor system logs and network traffic for unexpected shell command execution patterns or anomalous firmware activity to detect exploitation attempts.

Generated by OpenCVE AI on June 23, 2026 at 23:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description NetComm NF20MESH routers running firmware R6B031 and earlier contain an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands as root by injecting shell metacharacters into the username JSON parameter processed by the dalStorage_addUserAccount function. Attackers can exploit the unsafe concatenation of user-supplied input into a shell command string passed to rut_doSystemAction without sanitization to achieve full root-level command execution on the underlying operating system.
Title NetComm NF20MESH < R6B032 Authenticated RCE via OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T13:46:39.768Z

Reserved: 2026-03-31T20:40:15.618Z

Link: CVE-2026-35018

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T23:15:04Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')