Security Misconfiguration in NETGEAR Smart Managed Plus Switches
CVE-2020-35801

8.3HIGH

Key Information:

Vendor: Netgear
Status: Jgs516pe Firmware
Vendor: CVE Published:; 30 December 2020

Summary

Certain NETGEAR Smart Managed Plus switches suffer from a security misconfiguration due to an active TFTP server by default, allowing remote authenticated users to update the switch firmware. This misconfiguration impacts several models, including JGS516PE, JGS524Ev2, JGS524PE, and GS116Ev2, which are vulnerable if running versions prior to 2.6.0.48. Proper management of device configurations is essential to mitigate these risks and ensure the security of network infrastructure.

References

https://kb.netgear.com/000062635/Security-Advisory-for-Se...

x_refsource_MISC

https://research.nccgroup.com/2021/03/08/technical-adviso...

x_refsource_MISC

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 30, 2020
Vulnerability Reserved
Dec 29, 2020