Netgear Networking products
Products by Netgear Sorted by Most Security Vulnerabilities since 2018
Known Exploited Netgear Vulnerabilities
The following Netgear vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| NETGEAR Multiple Devices Exposure of Sensitive Information Vulnerability | Multiple NETGEAR devices are prone to admin password disclosure via simple crafted requests to the web management server. CVE-2017-5521 | September 8, 2022 |
| NETGEAR Multiple Devices Buffer Overflow Vulnerability | Multiple NETGEAR devices contain a buffer overflow vulnerability that allow for authentication bypass and remote code execution. CVE-2017-6862 | June 8, 2022 |
| NETGEAR DGN2200 Devices OS Command Injection Vulnerability | dnslookup.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands CVE-2017-6334 | March 25, 2022 |
| NETGEAR Multiple WAP Devices Command Injection Vulnerability | Multiple NETGEAR Wireless Access Point devices allows unauthenticated web pages to pass form input directly to the command-line interface. Exploitation allows for arbitrary code execution. CVE-2016-1555 | March 25, 2022 |
| NETGEAR WNR2000v5 Router Buffer Overflow Vulnerability | The NETGEAR WNR2000v5 router contains a buffer overflow which can be exploited to achieve remote code execution. CVE-2016-10174 | March 25, 2022 |
| NETGEAR DGN2200 Remote Code Execution Vulnerability | NETGEAR DGN2200 wireless routers contain a vulnerability which allows for remote code execution. CVE-2017-6077 | March 7, 2022 |
| NETGEAR Multiple Routers Remote Code Execution Vulnerability | NETGEAR confirmed multiple routers allow unauthenticated web pages to pass form input directly to the command-line interface, permitting remote code execution. CVE-2016-6277 | March 7, 2022 |
| Netgear ProSAFE Plus JGS516PE Remote Code Execution vulnerability | NETGEAR JGS516PE devices before 2.6.0.43 are affected by lack of access control at the function level. CVE-2020-26919 | November 3, 2021 |
By the Year
In 2024 there have been 0 vulnerabilities in Netgear . Last year Netgear had 2 security vulnerabilities published. Right now, Netgear is on track to have less security vulnerabilities in 2024 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 2 | 8.80 |
| 2022 | 0 | 0.00 |
| 2021 | 6 | 8.15 |
| 2020 | 4 | 7.50 |
| 2019 | 1 | 7.60 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Netgear vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Netgear Security Vulnerabilities
A low-privileged OS user with access to a Windows host where NETGEAR ProSAFE Network Management System is installed
CVE-2023-49694
7.8 - High
- November 29, 2023
A low-privileged OS user with access to a Windows host where NETGEAR ProSAFE Network Management System is installed can create arbitrary JSP files in a Tomcat web application directory. The user can then execute the JSP files under the security context of SYSTEM.
NETGEAR ProSAFE Network Management System has Java Debug Wire Protocol (JDWP) listening on port 11611 and it is remotely accessible by unauthenticated users
CVE-2023-49693
9.8 - Critical
- November 29, 2023
NETGEAR ProSAFE Network Management System has Java Debug Wire Protocol (JDWP) listening on port 11611 and it is remotely accessible by unauthenticated users, allowing attackers to execute arbitrary code.
Missing Authentication for Critical Function
All known versions of the Netgear Genie Installer for macOS contain a local privilege escalation vulnerability
CVE-2021-20172
7.8 - High
- December 30, 2021
All known versions of the Netgear Genie Installer for macOS contain a local privilege escalation vulnerability. The installer of the macOS version of Netgear Genie handles certain files in an insecure way. A malicious actor who has local access to the endpoint on which the software is going to be installed may overwrite certain files to obtain privilege escalation to root.
Incorrect Permission Assignment for Critical Resource
This vulnerability allows remote attackers to delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26
CVE-2021-27272
7.1 - High
- March 29, 2021
This vulnerability allows remote attackers to delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ReportTemplateController class. When parsing the path parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-12123.
Directory traversal
This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26
CVE-2021-27273
8.8 - High
- March 29, 2021
This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the SettingConfigController class. When parsing the fileName parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-12121.
Shell injection
This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26
CVE-2021-27274
9.8 - Critical
- March 29, 2021
This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Authentication is not required to exploit this vulnerability. The specific flaw exists within the MFileUploadController class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-12124.
Unrestricted File Upload
This vulnerability allows remote attackers to disclose sensitive information and delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26
CVE-2021-27275
8.3 - High
- March 29, 2021
This vulnerability allows remote attackers to disclose sensitive information and delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ConfigFileController class. When parsing the realName parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose sensitive information or to create a denial-of-service condition on the system. Was ZDI-CAN-12125.
Directory traversal
This vulnerability allows remote attackers to delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26
CVE-2021-27276
7.1 - High
- March 29, 2021
This vulnerability allows remote attackers to delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the MibController class. When parsing the realName parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-12122.
Directory traversal
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL
CVE-2020-12695
7.5 - High
- June 08, 2020
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
Incorrect Default Permissions
NETGEAR ReadyNAS devices before 6.9.3 are affected by incorrect configuration of security settings.
CVE-2018-21159
4.9 - Medium
- April 27, 2020
NETGEAR ReadyNAS devices before 6.9.3 are affected by incorrect configuration of security settings.
NETGEAR ReadyNAS devices before 6.9.3 are affected by CSRF.
CVE-2018-21160
8.8 - High
- April 23, 2020
NETGEAR ReadyNAS devices before 6.9.3 are affected by CSRF.
Session Riding
NETGEAR ReadyNAS devices before 6.9.3 are affected by CSRF.
CVE-2018-21102
8.8 - High
- April 23, 2020
NETGEAR ReadyNAS devices before 6.9.3 are affected by CSRF.
Session Riding
NETGEAR Insight Cloud with firmware before Insight 5.6
CVE-2019-12591
7.6 - High
- June 03, 2019
NETGEAR Insight Cloud with firmware before Insight 5.6 allows remote authenticated users to achieve command injection.
Command Injection
Buffer overflow in ACME micro_httpd, as used in D-Link DSL2750U and DSL2740U and NetGear WGR614 and MR-ADSL-DG834 routers
CVE-2014-4927
- July 24, 2014
Buffer overflow in ACME micro_httpd, as used in D-Link DSL2750U and DSL2740U and NetGear WGR614 and MR-ADSL-DG834 routers allows remote attackers to cause a denial of service (crash) via a long string in the URI in a GET request.
Buffer Overflow