CVE-2015-8289

HIGH

NETGEAR D3600 and D6000 Firmware <= 1.0.0.49 - Unauthenticated Administrator Password Exposure via passrec.asp

Title source: llm
STIX 2.1

Description

The password-recovery feature on NETGEAR D3600 devices with firmware 1.0.0.49 and D6000 devices with firmware 1.0.0.49 and earlier allows remote attackers to discover the cleartext administrator password by reading the cgi-bin/passrec.asp HTML source code.

References (2)

Core 2
Core References
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/778696
Vendor Advisory x_refsource_confirm
http://kb.netgear.com/app/answers/detail/a_id/30490

Scores

CVSS v3 7.5
EPSS 0.0080
EPSS Percentile 74.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200 CWE-255
Status published
Products (2)
netgear/d3600_firmware 1.0.0.49
netgear/d6000_firmware < 1.0.0.49
Published Jun 20, 2016
Tracked Since Feb 18, 2026