- CVE: CVE-2026-35019
- CVSS: 9.2 (Critical · CVSSv4)
- Product: NetComm Wireless Pty Ltd NF20MESH
- Affected: < R6B032
- Impact: NetComm NF20MESH < R6B032 Hardcoded AES Key Authentication Bypass
- Status: No confirmed exploitation yet
- Patched in: R6B032
- EPSS: 0.4% (30-day)
- Action: Update to R6B032 now
TL;DR
Signal 11 disclosed a NetComm authentication bypass tracked as CVE-2026-35019. The flaw scores 9.2 on CVSS and grants admin access. It affects NF20MESH routers on firmware R6B031 and earlier.
Why It Matters
Home and small-office routers guard the edge of a network. NetComm sells these mesh units to consumers and small businesses. Full admin access lets an attacker reroute or snoop on traffic. They could also change DNS or push malicious settings. So a router takeover threatens every device behind it.
How the Attack Works
The router encrypts session cookies with a hardcoded AES-256 key. Because that key ships in the firmware, anyone can extract it. The same key appears across affected devices. An attacker then forges a valid encrypted session cookie. The device checks only that a session exists and that the cookie decrypts. So the forged cookie passes the authentication check. However, one condition limits the attack. A legitimate administrator must be logged in at that moment.
Exploitation Status
Signal 11 reports no in-the-wild exploitation of this NetComm authentication bypass. Likewise, no public proof-of-concept exists yet.
Affected Versions
The flaw affects NF20MESH routers on firmware R6B031 and earlier. Signal 11 notes other NetComm models may also be affected.
Patch and Mitigation
NetComm fixed the issue in firmware R6B032. Update affected routers to that version now. You can find the release on NetComm’s firmware page. Until you patch, keep the router off the public internet. Also change default passwords and segment the device from sensitive assets. For full details, read the Signal 11 vulnerability report.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.