CVE-2025-12940

MEDIUM

NETGEAR WAX610 <10.8.11.4 - Info Disclosure

Title source: llm

Description

Login credentials are inadvertently recorded in logs if a Syslog Server is configured in NETGEAR WAX610 and WAX610Y (AX1800 Dual Band PoE Multi-Gig Insight Managed WiFi 6 Access Points). An user having access to the syslog server can read the logs containing these credentials. This issue affects WAX610: before 10.8.11.4; WAX610Y: before 10.8.11.4. Devices managed with Insight get automatic updates. If not, please check the firmware version and update to the latest. Fixed in: WAX610 firmware 11.8.0.10 or later. WAX610Y firmware 11.8.0.10 or later.

References (3)

[Vendor Advisory] https://kb.netgear.com/000070355/NETGEAR-Security-Advisories-November-2025

[Product] https://www.netgear.com/support/product/wax610

[Product] https://www.netgear.com/support/product/wax610y

Scores

CVSS v3 5.5

EPSS 0.0003

EPSS Percentile 10.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-532

Status published

Affected Products (2)

netgear/wax610y_firmware < 11.8.0.10

netgear/wax610_firmware < 11.8.0.10

Timeline

Published Nov 11, 2025

Tracked Since Feb 18, 2026