Netgear Netgear Networking products

Do you want an email whenever new security vulnerabilities are reported in any Netgear product?

Products by Netgear Sorted by Most Security Vulnerabilities since 2018

Netgear Readynas Os2 vulnerabilities

Netgear Genie Installer1 vulnerability

Netgear Insight1 vulnerability

Netgear Wnhde1111 vulnerability

@netgear Tweets

We’re so excited about our new partnership with street art project @GlyphicNFTs to offer their holders a way to dis… https://t.co/HKW0ABJ4ON
Fri Jun 24 16:00:14 +0000 2022

By the Year

In 2022 there have been 0 vulnerabilities in Netgear . Last year Netgear had 6 security vulnerabilities published. Right now, Netgear is on track to have less security vulnerabilities in 2022 than it did last year.

Year Vulnerabilities Average Score
2022 0 0.00
2021 6 8.15
2020 4 7.50
2019 1 7.60
2018 0 0.00

It may take a day or so for new Netgear vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Netgear Security Vulnerabilities

All known versions of the Netgear Genie Installer for macOS contain a local privilege escalation vulnerability

CVE-2021-20172 7.8 - High - December 30, 2021

All known versions of the Netgear Genie Installer for macOS contain a local privilege escalation vulnerability. The installer of the macOS version of Netgear Genie handles certain files in an insecure way. A malicious actor who has local access to the endpoint on which the software is going to be installed may overwrite certain files to obtain privilege escalation to root.

Improper Privilege Management

This vulnerability allows remote attackers to delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26

CVE-2021-27272 7.1 - High - March 29, 2021

This vulnerability allows remote attackers to delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ReportTemplateController class. When parsing the path parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-12123.

Directory traversal

This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26

CVE-2021-27273 8.8 - High - March 29, 2021

This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the SettingConfigController class. When parsing the fileName parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-12121.

Shell injection

This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26

CVE-2021-27274 9.8 - Critical - March 29, 2021

This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Authentication is not required to exploit this vulnerability. The specific flaw exists within the MFileUploadController class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-12124.

Unrestricted File Upload

This vulnerability allows remote attackers to disclose sensitive information and delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26

CVE-2021-27275 8.3 - High - March 29, 2021

This vulnerability allows remote attackers to disclose sensitive information and delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ConfigFileController class. When parsing the realName parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose sensitive information or to create a denial-of-service condition on the system. Was ZDI-CAN-12125.

Directory traversal

This vulnerability allows remote attackers to delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26

CVE-2021-27276 7.1 - High - March 29, 2021

This vulnerability allows remote attackers to delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the MibController class. When parsing the realName parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-12122.

Directory traversal

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL

CVE-2020-12695 7.5 - High - June 08, 2020

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.

Incorrect Default Permissions

NETGEAR ReadyNAS devices before 6.9.3 are affected by incorrect configuration of security settings.

CVE-2018-21159 4.9 - Medium - April 27, 2020

NETGEAR ReadyNAS devices before 6.9.3 are affected by incorrect configuration of security settings.

NETGEAR ReadyNAS devices before 6.9.3 are affected by CSRF.

CVE-2018-21160 8.8 - High - April 23, 2020

NETGEAR ReadyNAS devices before 6.9.3 are affected by CSRF.

Session Riding

NETGEAR ReadyNAS devices before 6.9.3 are affected by CSRF.

CVE-2018-21102 8.8 - High - April 23, 2020

NETGEAR ReadyNAS devices before 6.9.3 are affected by CSRF.

Session Riding

NETGEAR Insight Cloud with firmware before Insight 5.6

CVE-2019-12591 7.6 - High - June 03, 2019

NETGEAR Insight Cloud with firmware before Insight 5.6 allows remote authenticated users to achieve command injection.

Command Injection

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.