This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700v3 1.0.4.120_10.0.91 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the circled daemon. A crafted circleinfo.txt file can trigger an overflow of a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15879.
Conclusion & alert: CVE-2022-27646 is rated Moderate Risk (54.5/100): CVSS High severity, with medium exploitation likelihood (EPSS 1.43%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 12.82% | 1.43% | -11.38% |
| 2 | 2026-05-17 | 2.41% | 12.82% | +10.41% |
| 3 | 2026-04-16 | — | 2.41% | — |
Full EPSS history (17 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.8 | 3.1 | HIGH |
|
2.8 | 5.9 | [email protected] |
| 8.0 | 3.0 | HIGH |
|
2.1 | 5.9 | [email protected] |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| netgear | r6400_firmware | < 1.0.4.126 | cpe:2.3:o:netgear:r6400_firmware:*:*:*:*:*:*:*:* |
| netgear | r6700_firmware | < 1.0.4.126 | cpe:2.3:o:netgear:r6700_firmware:*:*:*:*:*:*:*:* |
| netgear | r6900p_firmware | < 1.3.3.148 | cpe:2.3:o:netgear:r6900p_firmware:*:*:*:*:*:*:*:* |
| netgear | r7000_firmware | < 1.0.11.134 | cpe:2.3:o:netgear:r7000_firmware:*:*:*:*:*:*:*:* |
| netgear | r7000p_firmware | < 1.3.3.148 | cpe:2.3:o:netgear:r7000p_firmware:*:*:*:*:*:*:*:* |
| netgear | r7850_firmware | < 1.0.5.84 | cpe:2.3:o:netgear:r7850_firmware:*:*:*:*:*:*:*:* |
| netgear | r7960p_firmware | < 1.4.3.88 | cpe:2.3:o:netgear:r7960p_firmware:*:*:*:*:*:*:*:* |
| netgear | r8000_firmware | < 1.0.4.84 | cpe:2.3:o:netgear:r8000_firmware:*:*:*:*:*:*:*:* |
| netgear | r8000p_firmware | < 1.4.3.88 | cpe:2.3:o:netgear:r8000p_firmware:*:*:*:*:*:*:*:* |
| netgear | rax200_firmware | < 1.0.6.138 | cpe:2.3:o:netgear:rax200_firmware:*:*:*:*:*:*:*:* |
| netgear | rax75_firmware | < 1.0.6.138 | cpe:2.3:o:netgear:rax75_firmware:*:*:*:*:*:*:*:* |
| netgear | rax80_firmware | < 1.0.6.138 | cpe:2.3:o:netgear:rax80_firmware:*:*:*:*:*:*:*:* |
| netgear | rs400_firmware | < 1.5.1.86 | cpe:2.3:o:netgear:rs400_firmware:*:*:*:*:*:*:*:* |
| netgear | cbr40_firmware | < 2.5.0.28 | cpe:2.3:o:netgear:cbr40_firmware:*:*:*:*:*:*:*:* |
| netgear | lbr1020_firmware | < 2.7.4.2 | cpe:2.3:o:netgear:lbr1020_firmware:*:*:*:*:*:*:*:* |
| netgear | lbr20_firmware | < 2.7.4.2 | cpe:2.3:o:netgear:lbr20_firmware:*:*:*:*:*:*:*:* |
| netgear | rbr10_firmware | < 2.7.4.24 | cpe:2.3:o:netgear:rbr10_firmware:*:*:*:*:*:*:*:* |
| netgear | rbr20_firmware | < 2.7.4.24 | cpe:2.3:o:netgear:rbr20_firmware:*:*:*:*:*:*:*:* |
| netgear | rbr40_firmware | < 2.7.4.24 | cpe:2.3:o:netgear:rbr40_firmware:*:*:*:*:*:*:*:* |
| netgear | rbr50_firmware | < 2.7.4.24 | cpe:2.3:o:netgear:rbr50_firmware:*:*:*:*:*:*:*:* |
| netgear | rbs10_firmware | < 2.7.4.24 | cpe:2.3:o:netgear:rbs10_firmware:*:*:*:*:*:*:*:* |
| netgear | rbs20_firmware | < 2.7.4.24 | cpe:2.3:o:netgear:rbs20_firmware:*:*:*:*:*:*:*:* |
| netgear | rbs40_firmware | < 2.7.4.24 | cpe:2.3:o:netgear:rbs40_firmware:*:*:*:*:*:*:*:* |
| netgear | rbs50_firmware | < 2.7.4.24 | cpe:2.3:o:netgear:rbs50_firmware:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://kb.netgear.com/000064721/Security-Advisory-for-Multiple-Vulnerabilities-on-Multiple-Products-PSV-2021-0324 | Vendor Advisory |
| https://www.zerodayinitiative.com/advisories/ZDI-22-523/ | Third Party Advisory VDB Entry |