VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 28, 2020· Updated Aug 5, 2024

CVE-2017-18858

CVE-2017-18858

Description

Certain NETGEAR devices are affected by command execution. This affects M4200-10MG-POE+ 12.0.2.11 and earlier, M4300-28G 12.0.2.11 and earlier, M4300-52G 12.0.2.11 and earlier, M4300-28G-POE+ 12.0.2.11 and earlier, M4300-52G-POE+ 12.0.2.11 and earlier, M4300-8X8F 12.0.2.11 and earlier, M4300-12X12F 12.0.2.11 and earlier, M4300-24X24F 12.0.2.11 and earlier, M4300-24X 12.0.2.11 and earlier, and M4300-48X 12.0.2.11 and earlier.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

NETGEAR M4200 and M4300 switches firmware ≤12.0.2.11 have unauthenticated remote code execution via web interface.

Vulnerability

The vulnerability exists in the web interface of NETGEAR M4200-10MG-POE+ and M4300 series fully managed switches running firmware version 12.0.2.11 and earlier. An unauthenticated attacker can execute arbitrary commands with administrator privileges. Affected models include GSM4210P, GSM4328S, GSM4352S, GSM4328PS, GSM4352PS, XSM4316S, XSM4324S, XSM4348S, XSM4324CS, and XSM4348CS [1].

Exploitation

An attacker must have network access to the switch's web interface. Typically, a firewall blocks external access, so exploitation is limited to local network or if the management interface is exposed. No authentication is required; the attacker sends specially crafted HTTP requests to trigger command execution [1].

Impact

Successful exploitation allows an unauthenticated attacker to execute commands with administrator privileges, leading to full device compromise. This could result in configuration file disclosure, disruption of switch operation, or complete takeover of the switch [1].

Mitigation

NETGEAR has released firmware fixes for all affected products. Users should update to the latest firmware version available from the NETGEAR Download Center. The advisory strongly recommends immediate firmware update [1].

References
  1. Security Advisory for Unauthenticated Remote Code Execution on M4200 and M4300, PSV-2017-1971

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.