Home

Description

Login credentials are inadvertently recorded in logs if a Syslog Server is configured in NETGEAR WAX610 and WAX610Y (AX1800 Dual Band PoE Multi-Gig Insight Managed WiFi 6 Access Points). An user having access to the syslog server can read the logs containing these credentials.  This issue affects WAX610: before 10.8.11.4; WAX610Y: before 10.8.11.4. Devices managed with Insight get automatic updates. If not, please check the firmware version and update to the latest. Fixed in: WAX610 firmware 11.8.0.10 or later. WAX610Y firmware 11.8.0.10 or later.

PUBLISHED Reserved 2025-11-10 | Published 2025-11-11 | Updated 2025-11-14 | Assigner NETGEAR




LOW: 0.5CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:L/U:Amber

Problem types

CWE-532 Insertion of Sensitive Information into Log File

Product status

Default status
unaffected

Any version before 10.8.11.4
affected

Default status
unaffected

Any version before 10.8.11.4
affected

Credits

filiperfonseca finder

References

www.netgear.com/support/product/wax610 product patch

www.netgear.com/support/product/wax610y product patch

kb.netgear.com/.../NETGEAR-Security-Advisories-November-2025 vendor-advisory

cve.org (CVE-2025-12940)

nvd.nist.gov (CVE-2025-12940)

Download JSON