Table of Contents
The FCC’s March 2026 order banning new foreign-made consumer routers is framed as a national security measure. The threat is real: Volt Typhoon, Salt Typhoon, and Flax Typhoon are documented Chinese state-sponsored campaigns that used compromised routers as footholds in U.S. infrastructure. Nobody is disputing that unsecured routers are a genuine risk.
What is worth examining is who benefits most from the ban and whether that beneficiary has earned the implicit security endorsement.
Netgear is headquartered in San Jose, California. Under the FCC’s new conditional approval framework, U.S.-headquartered companies are significantly better positioned to navigate the exemption process than foreign competitors. Netgear’s stock jumped 16.7 percent the day the ban was announced. The company issued a formal statement praising the ruling, the only major router brand to do so.
So let’s look at Netgear’s actual security record.
What the CVE Database Shows
Our RouterCVE database, which pulls live data from the National Vulnerability Database every four hours, tells a clear story. Netgear has accumulated 1,332 documented CVEs over the life of its product line. That puts it solidly in the consumer-brand tier of the vulnerability landscape, well above every enterprise brand we track.
For context, Peplink has 12 total CVEs across its entire product history. Cradlepoint has 8. Teltonika has 5. Inseego, Digi, Semtech, and Katalyst round out the enterprise side with similarly low counts.
TP-Link, the brand the ban most visibly targets, has 4,488 total CVEs. That is a genuinely alarming number and a legitimate data point in the security conversation. But Netgear’s 1,332 is not a credential. It is a vulnerability history.
You can check current grades for Netgear and every brand we track at https://RouterCVE.com/reportcard/, updated automatically every four hours from NVD data.
Recent Vulnerabilities Are Not Ancient History
Some might argue that historical CVE counts reflect older, less-maintained product lines. The recent record does not support that defense for Netgear.
In February 2025, Netgear disclosed an unauthenticated remote code execution vulnerability affecting the XR1000, XR1000v2, and XR500 gaming routers. No CVE ID was assigned, and the fix required a manual firmware update that most home users will never apply. Unauthenticated RCE means an attacker can execute arbitrary commands on the device without needing a username or password.
In December 2025, Netgear published a security advisory covering multiple active vulnerabilities including a man-in-the-middle attack on the Nighthawk line’s speedtest feature and an OS command injection flaw in the R7000P. The R7000P fix was declined entirely because the device had reached end-of-support. Netgear’s official recommendation was to buy a new router.
That pattern, end-of-support declarations in place of patches, is a persistent theme. Eclypsium, a supply chain security firm, documented that Netgear has issued over 500 security advisories and flagged specific concerns about third-party firmware components, limited enterprise patch management integration, and the use of Netgear hardware in portable “fly-away” network kits where security posture is rarely verified post-deployment.
A vulnerability from 2013, CVE-2024-12847, was still being actively exploited in the wild as recently as January 2025. The flaw, a CVSS 9.8 authentication bypass and command injection affecting the DGN1000 and DGN2000, had been disclosed eleven years earlier. The CVE entry was not formally published until 2025. Attackers were using it to install cryptocurrency miners on compromised routers.
The Security Framing Does Not Hold Up
We covered the mechanics of the FCC ban in our earlier post when the ruling dropped. The conditional approval process requires applicants to submit a plan for shifting manufacturing to the United States, which is an industrial policy requirement dressed in security language. The process has no established timeline and no transparency requirements.
The drone ban that preceded this one provides the only precedent we have. Four conditional approvals were granted. All four went to non-Chinese manufacturers. DJI and Autel, the dominant players in consumer drones, remain locked out with no timeline.
The router ban follows the same architecture. TP-Link currently faces a Texas AG lawsuit and multiple federal investigations tied to its Chinese origins. Navigating the conditional approval process requires legal infrastructure, Washington relationships, and a credible domestic manufacturing roadmap. Those are not security requirements. They are structural advantages for established U.S. companies, Netgear chief among them.
Meanwhile, the millions of foreign-made routers already deployed in American homes are entirely untouched by the ban. New models cannot enter the market. Existing inventory can still be sold, supported, and used indefinitely. If the goal were to actually reduce the attack surface on U.S. networks, you would have a mandatory replacement program backed by enforcement. You do not. You have a market entry barrier.
What Actually Protects Your Network
The CVE record across enterprise brands is not an accident. Manufacturers like Peplink, Cradlepoint, Teltonika, Inseego, Digi, Semtech, and Katalyst serve customers who have contractual security requirements and the technical staff to enforce them. That creates different engineering incentives than a consumer market built around price competition.
Enterprise brands run dedicated security teams. They issue patches on a structured cadence. They maintain product lines for longer cycles with documented end-of-support timelines rather than surprise advisories followed by buy-a-new-router recommendations. Their customers notice when something breaks or goes unpatched, and those customers have SLAs and procurement officers with long memories.
Consumer brands, including Netgear, compete on features and price. Security investment is a cost center in that model. The CVE counts reflect that.
The FCC ban may eventually reshape parts of the router supply chain. It will not, by itself, make American networks more secure. Security comes from the engineering choices, patch culture, and support commitments that vendors make regardless of where their hardware is assembled.
If you want to understand the current security posture of the brands in your network, our Router CVE Report Card updates automatically every four hours with data straight from the NVD. Grades are calculated across 30-day, 12-month, and all-time windows so you can see both recent activity and historical exposure.
Questions about enterprise cellular router options from Peplink, Cradlepoint, Teltonika, Inseego, Digi, Semtech, or Katalyst? Reach out to our team and we will help you find the right fit.
5Gstore Take
We think the FCC’s security concerns about router infrastructure are legitimate. The documented Chinese state-sponsored attacks on U.S. networks are real, and routers are a proven attack vector. Nobody at 5Gstore is arguing that the threat is invented.
What we are arguing is that the remedy does not match the stated problem, and that the company positioned to benefit most from the ban does not have a security record that justifies that positioning. Netgear’s 1,332 CVEs, its pattern of end-of-support declarations in place of patches, and its recently disclosed unauthenticated RCE vulnerabilities are all public information. The NVD data does not care about stock price or press releases.
If national security is the actual priority, the answer is rigorous, independent security certification for any router sold in the U.S., regardless of where it is made. Not a manufacturing onshoring requirement wrapped in a threat assessment.
We will keep tracking the numbers. You can see the live grades at https://RouterCVE.com/reportcard/. If you have questions about any of the enterprise brands we carry, contact us here.
Frequently Asked Questions
Does the FCC router ban mean Netgear routers are secure?
No. The ban restricts new foreign-made routers from entering the U.S. market. It does not certify that any domestic brand meets a security standard. Netgear has 1,332 documented CVEs in the National Vulnerability Database, and the company has issued over 500 security advisories across its product line.
What is the 5Gstore Router CVE Report Card?
It is a free tool we built that pulls live data from the NVD every four hours and grades router manufacturers on recent and historical vulnerability activity. You can check current grades at https://RouterCVE.com/reportcard/.
How do enterprise router brands compare to Netgear on CVEs?
Significantly better. Peplink has 12 total CVEs historically. Cradlepoint has 8. Teltonika has 5. Netgear has 1,332. The difference reflects fundamentally different security investment models between the consumer and enterprise segments.
What is an unauthenticated RCE vulnerability?
Remote code execution, or RCE, means an attacker can run commands on a device without physical access. Unauthenticated means they do not need a username or password to do it. Netgear disclosed one affecting multiple Nighthawk and gaming router models in February 2025.
Can Netgear get a conditional approval exemption under the FCC ban?
The conditional approval process is open to any manufacturer, domestic or foreign, that submits a plan to move manufacturing to the United States. U.S.-headquartered companies like Netgear are structurally better positioned to navigate that process than foreign competitors currently under federal investigation. No timeline for decisions has been established.
Can Netgear get a conditional approval exemption under the FCC ban? The conditional approval process is open to any manufacturer, domestic or foreign, that submits a plan to move manufacturing to the United States. U.S.-headquartered companies like Netgear are structurally better positioned to navigate that process than foreign competitors currently under federal investigation. No timeline for decisions has been established.
Is TP-Link’s security record actually worse than Netgear’s?
By raw CVE count, yes. TP-Link has 4,488 total CVEs versus Netgear’s 1,332. Neither number represents a strong security endorsement. The FCC ban framing treats the presence of TP-Link’s CVE count as a disqualifier while implicitly treating Netgear’s position as acceptable.
Which routers does 5Gstore recommend for business use?
We carry Peplink, Cradlepoint, Teltonika, Inseego, Digi, Semtech, and Katalyst. All of them show significantly lower CVE counts than consumer brands, and all are backed by enterprise support structures with documented firmware cadences. Contact our team to discuss options for your deployment.
