CVE-2020-35801

Vulnerability

Certain NETGEAR smart managed Plus switch models ship with a default-enabled TFTP server due to a security configuration misconfiguration. The affected models are JGS516PE, JGS524Ev2, JGS524PE, and GS116Ev2, all running firmware versions prior to 2.6.0.48 [1][2]. The TFTP server permits firmware update operations without requiring explicit admin intervention to enable the service.

Exploitation

An attacker with valid remote authentication credentials (or who has compromised an authenticated session) can connect to the TFTP server running on the switch. By uploading a crafted firmware image, the attacker effectively performs a firmware update. The necessary access is network adjacency; the attack complexity is low, and no user interaction is required beyond the initial authentication [2].

Impact

Successful exploitation allows an attacker to replace the switch firmware with a malicious image. This can lead to complete compromise of the device, persistent backdoor access, and potential manipulation of network traffic. The CVSS v3.1 score is 8.3 (High), with a vector of AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H, indicating high impact on integrity and availability [2].

Mitigation

NETGEAR has released fixed firmware version 2.6.0.48 for all affected models. Users should download and install the latest firmware from the NETGEAR Support pages as soon as possible [2]. No workaround for the misconfiguration is available; the only mitigation is upgrading to the patched firmware.