Executive Summary

CVE-2026-0412 is an insufficient input validation flaw in the NETGEAR JR6150 AC750 dual band router that permits an authenticated administrator on the local network to make unauthorized modifications to router software and functionality. The device reached End-of-Support in 2018, so there is no vendor patch coming, and any plant or facility network that has quietly retained this hardware at an edge or convenience layer is now operating with permanent unsigned firmware exposure.

Technical Exposure Breakdown

The vulnerable component is the JR6150 web administration interface, which fails to properly validate input handling routines that govern firmware and configuration changes. According to the source, the finding was reproduced through firmware emulation in a controlled research environment rather than against a live device, which is a common method in independent security research for legacy hardware that is risky or expensive to bench.

The attack vector requires LAN adjacency and administrator credentials. That sounds like a high bar until you account for how these routers are actually deployed and how OT networks actually behave. Consumer grade routers like the JR6150 ship with predictable default credentials, are rarely re-keyed after install, and frequently sit on flat network segments where any device with a network path can reach the management plane. The insufficient input validation allows an administrator session to push modified software, meaning an attacker who gains that session can alter routing behavior, inject persistent code, or repurpose the device as a pivot.

The conditions that matter here are not exotic. They are the absence of segmentation, the reuse of default or weak admin passwords, and the continued operation of hardware that stopped receiving updates more than seven years ago. Once a device is past End-of-Support, the input validation defect is not a temporary window. It is a fixed property of the asset.

OT Impact and Compliance Risk

The JR6150 was a 2014 consumer router, so no rational design would place it inside a control zone. The problem is that rational design and field reality diverge. These devices end up bridging vendor laptops, contractor equipment, remote sites, lift stations, and small substations because someone needed wireless access and grabbed available hardware. When that happens, a flat unsegmented router becomes an uncontrolled path between IT and OT.

The physical concern is not that the router itself runs a process. It is that a compromised router with modified firmware becomes a persistent foothold and a man in the middle for traffic crossing it. That can mean manipulation of HMI sessions, disruption of polling between a SCADA master and field RTUs, or denial of remote visibility into a remote asset.

From a compliance standpoint, an unsupported network device inside a defined environment is a direct finding. Under NERC CIP this implicates CIP-007 patch management and CIP-010 configuration and integrity monitoring, because you cannot patch what the vendor will not support. IEC 62443-3-3 zone and conduit requirements are violated the moment this device straddles trust boundaries. For pipeline operators under TSA SD-02C and water utilities subject to AWIA 2018 risk and resilience assessments, an end-of-life edge device with a firmware modification path is exactly the kind of unmanaged asset those frameworks were written to surface.

Compensating Controls

There is no patch. Replacement is the correct end state, but most operators need an interim posture before a hardware swap clears change control. Do not run active vulnerability scans against this device to confirm exposure. Active scanning of fragile legacy networking gear can crash or brick it, and on this hardware the firmware modification handlers are precisely what aggressive probing tends to trigger. Use passive traffic inspection and asset inventory instead.

The honest answer is decommission. Every compensating control above is a way to buy time, not a way to make a 2014 unsupported router safe inside a critical environment.

BreachSpider Intel

BreachSpider tracks end-of-support and unpatched OT edge exposure across 175,000+ products so operators can find devices like the JR6150 before an adversary maps them first.