How is CVE-2026-35019 exploited?

Network reachability (required): The web management interface is exposed over the network, so the attacker must be able to reach it remotely over TCP to deliver the forged session cookie. Authentication (not-required): No credentials are needed; the hardcoded AES-256 key allows the attacker to forge a valid session cookie and bypass all authentication checks entirely. Victim interaction (required): A legitimate administrator session must be active at the time of the attack, as the bypass depends on the presence of a valid concurrent admin session on the management interface. Attack complexity (info): The base exploit is reliable and condition-free once the attacker has the hardcoded key (extractable from firmware), though the attack target (AT:P) indicates a specific prerequisite condition, specifically an active admin session, must be met.

What is the impact of CVE-2026-35019?

Reads all router configuration data, including stored Wi-Fi credentials, VPN keys, and connected-device records. Modifies network routing rules, DNS settings, and firewall policies across the device. Adds rogue administrative accounts or removes existing ones, locking out legitimate administrators. Crashes or restarts the management interface or connected services, disrupting network availability for all devices on the segment.

Back to search

CRITICALCVE-2026-35019Published 2026-06-23Modified 2026-06-23CNA VulnCheck

CVE-2026-35019: NetComm NF20MESH < R6B032 Hardcoded AES Key Authentication Bypass

Q: What is CVE-2026-35019?

This is an authentication bypass vulnerability in the NetComm NF20MESH router firmware (versions prior to R6B032). The router's web management interface encrypts session cookies using a hardcoded AES-256 key, meaning any attacker who knows the key (which is static and extractable from the firmware) can forge a valid session cookie and gain full administrative access without any credentials. Exploitation requires no authentication and is reachable over the network while a legitimate admin session is active, giving the attacker complete administrative control of the device. A patched-image rebuild at firmware version R6B032 is available on HarborGuard for affected environments.

Q: How is CVE-2026-35019 fixed?

A patched-image rebuild at firmware version R6B032 is available on HarborGuard for environments running an affected version of the NF20MESH image. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a PR against affected workloads automatically.

NetComm NF20MESH routers running firmware R6B031 and earlier contain an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by exploiting a hardcoded AES-256 key used to encrypt session cookies for the web management interface. Attackers can forge a valid encrypted session cookie using the shared hardcoded key and bypass authentication checks to obtain full administrative control of the management interface while any legitimate administrator session is active.

CVSS v4.0: 9.2
Severity: CRITICAL
Fixed in: R6B032
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an authentication bypass vulnerability in the NetComm NF20MESH router firmware (versions prior to R6B032). The router's web management interface encrypts session cookies using a hardcoded AES-256 key, meaning any attacker who knows the key (which is static and extractable from the firmware) can forge a valid session cookie and gain full administrative access without any credentials. Exploitation requires no authentication and is reachable over the network while a legitimate admin session is active, giving the attacker complete administrative control of the device. A patched-image rebuild at firmware version R6B032 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-35019 is available across every HarborGuard environment; the CVE is ingested from upstream feeds including VulnCheck within minutes of publication and matched against customer images and custom-built firmware-based container images in registered pipelines. Any image carrying the affected NF20MESH firmware (versions prior to R6B032) is flagged automatically without requiring manual configuration.

Available

Triage

HarborGuard scores this CVE at 9.2 CRITICAL using the CVSS v4.0 vector, and triage surfacing is available with per-environment compliance policy weighting applied so that findings are routed to the appropriate team inbox inside each customer organization. Customers with network-edge or router-management workloads in scope will see this prioritized against any relevant policy thresholds.

Available

Patch

A patched-image rebuild at firmware version R6B032 is available on HarborGuard for environments running an affected version of the NF20MESH image. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The web management interface is exposed over the network, so the attacker must be able to reach it remotely over TCP to deliver the forged session cookie.
AuthenticationNot required
No credentials are needed; the hardcoded AES-256 key allows the attacker to forge a valid session cookie and bypass all authentication checks entirely.
Victim interactionRequired
A legitimate administrator session must be active at the time of the attack, as the bypass depends on the presence of a valid concurrent admin session on the management interface.
Attack complexityDetail
The base exploit is reliable and condition-free once the attacker has the hardcoded key (extractable from firmware), though the attack target (AT:P) indicates a specific prerequisite condition, specifically an active admin session, must be met.

Blast Radius

Reads all router configuration data, including stored Wi-Fi credentials, VPN keys, and connected-device records.
Modifies network routing rules, DNS settings, and firewall policies across the device.
Adds rogue administrative accounts or removes existing ones, locking out legitimate administrators.
Crashes or restarts the management interface or connected services, disrupting network availability for all devices on the segment.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-35019 is active across customer registries and CI pipelines the moment the advisory is ingested, covering any image that bundles or references the affected NF20MESH firmware prior to R6B032. For environments running an affected firmware version, a patched-image rebuild at R6B032 is available. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs regression tests against the updated image, and opens a PR against affected workloads; for high-severity and critical issues, the median time from CVE publication to merged patch PR for environments with auto-remediation enabled is around 90 minutes. Where compliance policy permits, this finding is routed automatically to the appropriate team inbox with the CVSS 9.2 CRITICAL score applied. Because this vulnerability requires no credentials and is exploitable over the network, customers who cannot immediately apply the R6B032 patch should consider isolating the management interface behind a network policy that restricts access to trusted management subnets only.

See how HarborGuard automates this

Fix available

R6B032

Patch commits

support.netcommwireless.com

Affected packages

NetComm Wireless Pty Ltd / NF20MESH
< R6B032 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available