Executive Summary
CVE-2026-0419 is an insufficient input validation flaw in the NETGEAR JR6150 AC750 dual band router that allows any client connected to the local WiFi network to execute operating system commands with router-level privileges. The device reached End-of-Support in 2018, no patch will be issued, and any JR6150 bridging a wireless segment to industrial assets becomes a foothold for lateral movement into the control environment.
Technical Exposure Breakdown
The vulnerability sits in firmware logic that fails to sanitize user-supplied input before passing it to a shell context. Once a parameter reaches an underlying system call without validation, an attacker injects shell metacharacters and arbitrary commands run under the privilege of the handling process, typically root on consumer-grade SOHO routers of this generation. The attacker requires no credentials beyond local WiFi network access, which on a router released in 2014 may mean nothing more than WPA2 with a weak or default pre-shared key.
The finding was identified through firmware emulation in a controlled research environment and has not been confirmed against production hardware. That distinction matters for OT operators. Emulation establishes the code path exists and is reachable, but timing, watchdog behavior, and memory constraints on physical silicon can change exploit reliability. Do not treat the absence of production verification as a reason to defer mitigation. Treat it as a reason not to attempt active validation against a live device on your network.
There is no CVSS score assigned and the flaw is not in the known exploited vulnerability catalog. Neither fact reduces the risk. An unauthenticated to wireless-local command execution primitive on a device with no available patch is the kind of exposure that does not need a public exploit to be dangerous in a targeted intrusion.
OT Impact and Compliance Risk
The JR6150 is a consumer product, which is precisely why it shows up where it should not. Field offices, remote pump stations, contractor staging areas, and temporary instrumentation drops frequently inherit whatever WiFi hardware was on hand. When one of these routers sits between a wireless laptop or HMI and a control segment, command execution on the router lets an attacker pivot, sniff plaintext protocols, alter routing, or stage tooling for deeper access into Purdue Level 1 and Level 2 assets.
From a standards perspective, IEC 62443 zone and conduit separation is violated the moment a consumer router with no patch lifecycle forms a conduit between trust zones. Under NERC CIP, any such device inside or bridging an Electronic Security Perimeter is an unmanaged Cyber Asset that fails CIP-007 patch management and CIP-005 access control expectations. Water and wastewater operators subject to AWIA 2018 risk assessments must account for these devices in their resilience posture. Pipeline operators under TSA SD-02C face explicit segmentation and access control requirements that an exploitable EOL router undermines directly.
Compensating Controls
No vendor patch exists and none is coming, so the primary control is physical and architectural removal. Identify every JR6150 in your environment through passive asset inventory rather than active scanning. Active probing of fragile EOL firmware can hang or brick the device and disrupt whatever it connects. Use SPAN port traffic analysis and existing DHCP and ARP records to locate them.
Where immediate replacement is not feasible, isolate the device behind a managed firewall and treat its wireless segment as untrusted. Block the WiFi client subnet from initiating any connection to OT address space. Implement a virtual patch at the upstream inspection point. A Suricata rule concept here watches HTTP request bodies and query parameters destined for the router management interface for shell metacharacters such as semicolon, backtick, pipe, and dollar-paren constructs, alerting and dropping on match. Disable remote management, rotate the WPA2 pre-shared key to a high-entropy value, and reduce wireless transmit range so the attack surface does not extend beyond the physical boundary you control.
The durable answer is asset retirement. Any router that lost security support in 2018 has accumulated six years of unpatched defects and should not exist on a path to a control network.
BreachSpider Intel Footer
BreachSpider tracks End-of-Support device exposure and command injection patterns across OT edge infrastructure so operators can identify unmanaged assets before they become intrusion paths.