Description
Certain NETGEAR devices are affected by lack of access control at the function level. This affects JGS516PE before 2.6.0.48, JGS524Ev2 before 2.6.0.48, JGS524PE before 2.6.0.48, and GS116Ev2 before 2.6.0.48. The TFTP firmware update mechanism does not properly implement firmware validations, allowing remote attackers to write arbitrary data to internal memory.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://kb.netgear.com/000062636/Security-Advisory-for-Missing-Function-Level-Access-Control-on-Some-Smart-Managed-Plus-Switches-PSV-2020-0378
Exploit, Third Party Advisory x_refsource_misc
https://research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/
Scores
CVSS v3
8.1
EPSS
0.0031
EPSS Percentile
54.5%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Details
Status
published
Products (4)
netgear/gs116e_firmware
< 2.6.0.48
netgear/jgs516pe_firmware
< 2.6.0.48
netgear/jgs524e_firmware
< 2.6.0.48
netgear/jgs524pe_firmware
< 2.6.0.48
Published
Dec 30, 2020
Tracked Since
Feb 18, 2026