Description
NetComm NF20MESH routers running firmware R6B031 and earlier contain an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by exploiting a hardcoded AES-256 key used to encrypt session cookies for the web management interface. Attackers can forge a valid encrypted session cookie using the shared hardcoded key and bypass authentication checks to obtain full administrative control of the management interface while any legitimate administrator session is active.
Published: 2026-06-23
Score: 9.2 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the use of a hard‑coded AES‑256 key to encrypt session cookies for the vendor’s web management interface. An attacker can generate a valid encrypted cookie using the known key; the device then mistakenly accepts the cookie as authenticated. This bypass grants unauthenticated users full administrative privileges, even while a legitimate administrator is logged in. The weakness is a classic case of insecure key management (CWE‑321).

Affected Systems

NetComm Wireless Pty Ltd’s NF20MESH routers running firmware version R6B031 and earlier are affected. These wireless access points can be deployed in both enterprise and residential environments.

Risk and Exploitability

The vulnerability has a CVSS score of 9.2, indicating critical severity. EPSS data is not available. Based on the description, the likely attack vector is inferred to be remote network access to the device’s web interface. The flaw is not listed in the CISA KEV catalog, suggesting no known public exploits yet; however, the ease of cookie forgery means the risk surface remains high and the vulnerability should be treated as a critical asset risk until patched.

Generated by OpenCVE AI on June 23, 2026 at 22:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router’s firmware to R6B032 or later, which removes the hard‑coded AES key and implements secure session cookie handling.
  • If an upgrade is not immediately feasible, restrict external access to the web management interface and enforce network segmentation so that only trusted management hosts can reach the device.
  • Monitor management logs for suspicious authentication attempts and verify that no unauthorized administrative sessions exist.

Generated by OpenCVE AI on June 23, 2026 at 22:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description NetComm NF20MESH routers running firmware R6B031 and earlier contain an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by exploiting a hardcoded AES-256 key used to encrypt session cookies for the web management interface. Attackers can forge a valid encrypted session cookie using the shared hardcoded key and bypass authentication checks to obtain full administrative control of the management interface while any legitimate administrator session is active.
Title NetComm NF20MESH < R6B032 Hardcoded AES Key Authentication Bypass
Weaknesses CWE-321
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T15:11:17.525Z

Reserved: 2026-03-31T20:40:15.618Z

Link: CVE-2026-35019

cve-icon Vulnrichment

Updated: 2026-06-23T15:11:14.297Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T22:15:04Z

Weaknesses
  • CWE-321

    Use of Hard-coded Cryptographic Key