CVE-2020-35782

Certain NETGEAR devices are affected by lack of access control at the function level. This affects JGS516PE before 2.6.0.48, JGS524Ev2 before 2.6.0.48, JGS524PE before 2.6.0.48, and GS116Ev2 before 2.6.0.48. The TFTP firmware update mechanism does not properly implement firmware validations, allowing remote attackers to write arbitrary data to internal memory.

Published: Dec 30, 2020
Updated: Apr 14, 2023
CVE: CVE-2020-35782
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CVSS v2:

Severity: High
Score: 7.8
AV:A/AC:L/Au:N/C:N/I:C/A:C

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
netgear / jgs516pe_firmware	-	2.6.0.48
netgear / jgs524e_firmware	-	2.6.0.48
netgear / jgs524pe_firmware	-	2.6.0.48
netgear / gs116e_firmware	-	2.6.0.48

https://kb.netgear.com/000062636/Security-Advisory-for-Missing-Function-Level-Access-Control-on-Some-Smart-Managed-Plus-Switches-PSV-2020-0378
https://research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/

Vulnerability Database

289,871

CVE-2020-35782