CVE-2020-35782
Description
Certain NETGEAR devices are affected by lack of access control at the function level. This affects JGS516PE before 2.6.0.48, JGS524Ev2 before 2.6.0.48, JGS524PE before 2.6.0.48, and GS116Ev2 before 2.6.0.48. The TFTP firmware update mechanism does not properly implement firmware validations, allowing remote attackers to write arbitrary data to internal memory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NETGEAR smart managed Plus switches have a missing function-level access control vulnerability in TFTP firmware update, allowing remote unauthenticated attackers to write arbitrary data to device memory.
Vulnerability
The vulnerability is a missing function-level access control in the TFTP firmware update mechanism of certain NETGEAR smart managed Plus switches. This allows remote attackers to write arbitrary data to internal memory because the firmware validation is not properly implemented. Affected models include JGS516PE, JGS524Ev2, JGS524PE, and GS116Ev2 running firmware versions prior to 2.6.0.48 [2].
Exploitation
An attacker on the adjacent network can send crafted TFTP packets to the switch without authentication. The lack of access control and improper firmware validation enables the attacker to bypass security checks and write arbitrary data to internal memory. No user interaction is required.
Impact
Successful exploitation allows the attacker to overwrite firmware or configuration data, leading to high integrity and availability impact (CVSS I:H, A:H). This could result in denial of service or persistent compromise of the device. Confidentiality is not affected.
Mitigation
NETGEAR released firmware version 2.6.0.48 to fix this vulnerability. Users should update their devices to the latest firmware as soon as possible. No workarounds are available. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- kb.netgear.com/000062636/Security-Advisory-for-Missing-Function-Level-Access-Control-on-Some-Smart-Managed-Plus-Switches-PSV-2020-0378mitrex_refsource_MISC
- research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.