Description
NetComm NF20MESH routers running firmware R6B031 and earlier contain an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by exploiting a hardcoded AES-256 key used to encrypt session cookies for the web management interface. Attackers can forge a valid encrypted session cookie using the shared hardcoded key and bypass authentication checks to obtain full administrative control of the management interface while any legitimate administrator session is active.
Published: 2026-06-23
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the use of a hard‑coded AES‑256 key that encrypts session cookies for the device’s web management interface. Because the key is embedded in the firmware, an attacker can craft a valid session cookie and present it to the router, causing the authentication check to accept the cookie as authentic. This yields unrestricted administrative access even while a legitimate administrator is logged in. The weakness is a classic example of insecure key management (CWE‑321).

Affected Systems

NetComm Wireless Pty Ltd’s NF20MESH routers running firmware R6B031 and earlier are affected. These wireless access points can be deployed in both enterprise and residential environments.

Risk and Exploitability

The vulnerability’s CVSS of 9.2 indicates critical severity. EPSS data is not available and the issue is not listed in the CISA KEV catalog, suggesting no known public exploits yet. Based on the description, the likely attack vector is inferred to be remote network access to the router’s web interface. The ease of forging a session cookie makes the risk high until remediation is applied.

Generated by OpenCVE AI on June 24, 2026 at 11:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Acquire the latest NetComm NF20MESH firmware that removes the hard-coded AES key and install it on all affected devices.
  • If a new firmware is not yet available, restrict external access to the router’s web management interface by configuring a firewall or ACL so that only trusted management hosts on the internal network can reach the device.
  • Continuously monitor management logs for anomalous authentication attempts and verify that no unauthorized administrative sessions are active.
  • Consider disabling the web management interface from external networks and use secure remote management alternatives such as VPN or SNMP with authentication, if available.

Generated by OpenCVE AI on June 24, 2026 at 11:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Netcommwireless
Netcommwireless nf20mesh
Vendors & Products Netcommwireless
Netcommwireless nf20mesh

Tue, 23 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description NetComm NF20MESH routers running firmware R6B031 and earlier contain an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by exploiting a hardcoded AES-256 key used to encrypt session cookies for the web management interface. Attackers can forge a valid encrypted session cookie using the shared hardcoded key and bypass authentication checks to obtain full administrative control of the management interface while any legitimate administrator session is active.
Title NetComm NF20MESH < R6B032 Hardcoded AES Key Authentication Bypass
Weaknesses CWE-321
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Netcommwireless Nf20mesh
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T15:11:17.525Z

Reserved: 2026-03-31T20:40:15.618Z

Link: CVE-2026-35019

cve-icon Vulnrichment

Updated: 2026-06-23T15:11:14.297Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:06:04Z

Weaknesses
  • CWE-321

    Use of Hard-coded Cryptographic Key