CVE-2016-1524

CRITICAL

NETGEAR Management System NMS300 <1.5.0.11 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-1524. PoCs published by Pedro Ribeiro, including Metasploit module auxiliary/admin/http/netgear_auth_download.

AI-analyzed exploit summary This exploit demonstrates an unauthenticated arbitrary file upload vulnerability (CVE-2016-1525) in NETGEAR ProSafe NMS300, allowing remote code execution as SYSTEM via JSP upload. It also details an authenticated arbitrary file download vulnerability (CVE-2016-1524) using path traversal.

Description

Multiple unrestricted file upload vulnerabilities in NETGEAR Management System NMS300 1.5.0.11 and earlier allow remote attackers to execute arbitrary Java code by using (1) fileUpload.do or (2) lib-1.0/external/flash/fileUpload.do to upload a JSP file, and then accessing it via a direct request for a /null URI.

Exploits (2)

exploitdb WORKING POC
by Pedro Ribeiro · textwebappshardware
https://www.exploit-db.com/exploits/39412

This exploit demonstrates an unauthenticated arbitrary file upload vulnerability (CVE-2016-1525) in NETGEAR ProSafe NMS300, allowing remote code execution as SYSTEM via JSP upload. It also details an authenticated arbitrary file download vulnerability (CVE-2016-1524) using path traversal.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: NETGEAR ProSafe Network Management System NMS300 (versions 1.5.0.11, 1.5.0.2, 1.4.0.17, 1.1.0.13)
No auth needed
Prerequisites: Network access to the NMS300 web interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/netgear_auth_download.rb

This Metasploit module exploits an authenticated file download vulnerability in NETGEAR ProSafe NMS300, allowing an attacker to download arbitrary files from the system. It includes authentication handling and directory traversal brute-forcing.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: NETGEAR ProSafe Network Management System 300 (versions 1.5.0.2, 1.4.0.17, 1.1.0.13)
Auth required
Prerequisites: Valid credentials for the NETGEAR NMS300 application · Network access to the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/537446/100/0/threaded
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2016/Feb/30
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/777024
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39412/

Scores

CVSS v3 9.6
EPSS 0.6573
EPSS Percentile 98.5%
Attack Vector ADJACENT_NETWORK
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

Status published
Products (1)
netgear/prosafe_network_management_software_300 < 1.5.0.11
Published Feb 13, 2016
Tracked Since Feb 18, 2026