Vulnerability Details CVE-2020-35801
Certain NETGEAR devices are affected by incorrect configuration of security settings. This affects JGS516PE before 2.6.0.48, JGS524Ev2 before 2.6.0.48, JGS524PE before 2.6.0.48, and GS116Ev2 before 2.6.0.48. A TFTP server was found to be active by default. It allows remote authenticated users to update the switch firmware.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 55.5%
CVSS Severity
CVSS v3 Score 8.3
CVSS v2 Score 5.5
References
- https://kb.netgear.com/000062635/Security-Advisory-for-Security-Misconfiguration-on-Some-Smart-Managed-Plus-Switches-PSV-2020-0376
- https://research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/
- https://kb.netgear.com/000062635/Security-Advisory-for-Security-Misconfiguration-on-Some-Smart-Managed-Plus-Switches-PSV-2020-0376
- https://research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/
Products affected by CVE-2020-35801
-
cpe:2.3:h:netgear:gs116e:v2
-
cpe:2.3:h:netgear:jgs516pe:-
-
cpe:2.3:h:netgear:jgs524e:v2
-
cpe:2.3:h:netgear:jgs524pe:-
-
cpe:2.3:o:netgear:gs116e_firmware:2.6.0.35
-
cpe:2.3:o:netgear:gs116e_firmware:2.6.0.43
-
cpe:2.3:o:netgear:jgs516pe_firmware:-
-
cpe:2.3:o:netgear:jgs516pe_firmware:2.6.0.35
-
cpe:2.3:o:netgear:jgs516pe_firmware:2.6.0.43
-
cpe:2.3:o:netgear:jgs524e_firmware:2.6.0.35
-
cpe:2.3:o:netgear:jgs524pe_firmware:2.6.0.35