CVE-2025-12940

11.11.2025, 17:15

Login credentials are inadvertently recorded in logs if a Syslog Server is configured in NETGEAR WAX610
and WAX610Y (AX1800 Dual Band PoE Multi-Gig Insight Managed WiFi 6
Access Points). An user having access to the syslog server can read the logs containing these credentials.

This issue affects WAX610: before 10.8.11.4; WAX610Y: before 10.8.11.4.


Devices
managed with Insight get automatic updates. If not, please check the firmware version
and update to the latest. 





Fixed in:



WAX610 firmware
11.8.0.10 or later.



WAX610Y firmware
11.8.0.10 or later.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
NETGEAR	CNA	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-532 - Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References

https://kb.netgear.com/000070355/NETGEAR-Security-Advisories-November-2025

https://www.netgear.com/support/product/wax610

https://www.netgear.com/support/product/wax610y