CVE-2019-20704

HIGH

NETGEAR XR500 D3600 D6000 Firmware - Authenticated Command Injection

Title source: llm

Description

Certain NETGEAR devices are affected by command injection by an authenticated user. This affects D3600 before 1.0.0.76, D6000 before 1.0.0.76, and XR500 before 2.3.2.32.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://kb.netgear.com/000061225/Security-Advisory-for-Post-Authentication-Command-Injection-on-Some-Routers-and-Gateways-PSV-2018-0392

Scores

CVSS v3 8.0

EPSS 0.0034

EPSS Percentile 57.1%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-77

Status published

Products (3)

netgear/d3600_firmware < 1.0.0.76

netgear/d6000_firmware < 1.0.0.76

netgear/xr500_firmware < 2.3.2.32

Published Apr 16, 2020

Tracked Since Feb 18, 2026