Security News > 2021 > March > Unpatched Flaws in Netgear Business Switches Expose Organizations to Attacks
Security researchers have identified multiple vulnerabilities in ProSAFE Plus JGS516PE and GS116Ev2 business switches from Netgear, the most severe of which could allow a remote, unauthenticated attacker to execute arbitrary code.
A total of 15 vulnerabilities affecting Netgear switches that use the ProSAFE Plus configuration utility were found to expose users to various risks, according to researchers with IT security firm NCC Group.
The researchers also discovered that the Netgear Switch Discovery Protocol, a network protocol functioning as a discovery method that also allows for switch management, fails to properly handle authentication packages, thus leading to authentication bypasses.
NCC Group says that Netgear has informed them that the NSDP has reached end of life and that none of the issues identified in it will be addressed.
Other high-severity vulnerabilities in Netgear's switches could lead to denial of service, or could allow an attacker to generate valid passwords or perform requests using a single authenticated packet.
In December 2020, Netgear released firmware version 2.6.0.48, which includes patches for CVE-2020-35220, CVE-2020-35232, CVE-2020-35233, and other issues.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-03-10 | CVE-2020-35232 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. | 0.0 |
| 2021-03-10 | CVE-2020-35233 | Resource Exhaustion vulnerability in Netgear Gs116E Firmware and Jgs516Pe Firmware The TFTP server fails to handle multiple connections on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices, and allows external attackers to force device reboots by sending concurrent connections, aka a denial of service attack. | 6.5 |
| 2021-03-10 | CVE-2020-35220 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. | 0.0 |