NETGEAR WAX610/WAX610Y Credential Logging via Syslog (10.8.11.4)
CVE-2025-12940 Published on November 11, 2025
Credentials recorded in logs in NETGEAR WAX610 and WAX610Y
Login credentials are inadvertently recorded in logs if a Syslog Server is configured in NETGEAR WAX610
and WAX610Y (AX1800 Dual Band PoE Multi-Gig Insight Managed WiFi 6
Access Points). An user having access to the syslog server can read the logs containing these credentials.
This issue affects WAX610: before 10.8.11.4; WAX610Y: before 10.8.11.4.
Devices
managed with Insight get automatic updates. If not, please check the firmware version
and update to the latest.
Fixed in:
WAX610 firmware
11.8.0.10 or later.
WAX610Y firmware
11.8.0.10 or later.
Weakness Type
Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
Products Associated with CVE-2025-12940
stack.watch emails you whenever new vulnerabilities are published in Netgear Wax610 or Netgear Wax610y. Just hit a watch button to start following.
Affected Versions
NETGEAR WAX610:- Before 10.8.11.4 is affected.
- Before 10.8.11.4 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.