CVE-2016-1525

HIGH

NETGEAR Management System NMS300 <1.5.0.11 - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2016-1525. PoCs published by Metasploit, Pedro Ribeiro, including Metasploit module exploits/windows/http/netgear_nms_rce.

AI-analyzed exploit summary This Metasploit module exploits an arbitrary file upload vulnerability in NETGEAR ProSafe NMS300, allowing unauthenticated remote code execution as SYSTEM via a malicious JSP payload.

Description

Directory traversal vulnerability in data/config/image.do in NETGEAR Management System NMS300 1.5.0.11 and earlier allows remote authenticated users to read arbitrary files via a .. (dot dot) in the realName parameter.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/39515

This Metasploit module exploits an arbitrary file upload vulnerability in NETGEAR ProSafe NMS300, allowing unauthenticated remote code execution as SYSTEM via a malicious JSP payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: NETGEAR ProSafe Network Management System 300 (versions 1.5.0.2, 1.4.0.17, 1.1.0.13)
No auth needed
Prerequisites: Network access to the target's port 8080 · Vulnerable version of NETGEAR ProSafe NMS300
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Pedro Ribeiro · textwebappshardware
https://www.exploit-db.com/exploits/39412

This exploit demonstrates an unauthenticated arbitrary file upload vulnerability (CVE-2016-1525) in NETGEAR ProSafe NMS300, allowing remote code execution as SYSTEM via JSP upload. It also details an authenticated arbitrary file download vulnerability (CVE-2016-1524) using path traversal.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: NETGEAR ProSafe Network Management System NMS300 (versions 1.5.0.11, 1.5.0.2, 1.4.0.17, 1.1.0.13)
No auth needed
Prerequisites: Network access to the NMS300 web interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/netgear_nms_rce.rb

This Metasploit module exploits an authentication bypass and arbitrary file upload vulnerability in NETGEAR ProSafe NMS300 to achieve remote code execution as SYSTEM. It uploads a malicious JSP file containing a base64-encoded payload, then triggers execution via a GET request.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: NETGEAR ProSafe Network Management System 300 (versions 1.5.0.2, 1.4.0.17, 1.1.0.13, 1.7.0.12, 1.7.0.1)
No auth needed
Prerequisites: Network access to the target's web interface (port 8080 by default)
devstral-2 · analyzed Apr 24, 2026 Full analysis →

References (8)

Core 8
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/537446/100/0/threaded
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2016/Feb/30
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39515/
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39412/
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/777024

Scores

CVSS v3 8.6
EPSS 0.8031
EPSS Percentile 99.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Details

CWE
CWE-22
Status published
Products (1)
netgear/prosafe_network_management_software_300 1.5.0.11
Published Feb 13, 2016
Tracked Since Feb 18, 2026