Cyber Resilience

CVE-2020-26919

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 09 October 2020

Published
09 October 2020
Modified
07 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9379 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-26919 is a critical-severity an unspecified weakness vulnerability in Netgear Jgs516Pe Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-14 (Permitted Actions Without Identification or Authentication).

Deeper analysis

NETGEAR JGS516PE devices running firmware versions prior to 2.6.0.43 contain a missing function-level access control vulnerability. The flaw is rated 9.8 under CVSS 3.1 with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and is tracked under NVD-CWE-Other.

An unauthenticated attacker with network access can invoke privileged functions directly, resulting in complete compromise of device confidentiality, integrity, and availability without any user interaction or credentials.

The vendor advisory recommends upgrading to firmware 2.6.0.43 or later to restore proper access controls. The vulnerability appears in CISA's catalog of known exploited vulnerabilities, indicating confirmed in-the-wild exploitation activity.

EU & UK References

Vulnerability details

NETGEAR JGS516PE devices before 2.6.0.43 are affected by lack of access control at the function level.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

netgear
jgs516pe firmware
≤ 2.6.0.43

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces function-level access control checks that the CVE shows are absent, blocking unauthenticated invocation of privileged device functions.

prevent

Requires that only the minimum privileges needed are granted to each function, preventing the blanket exposure of administrative operations described in the CVE.

prevent

Explicitly identifies and limits actions permitted without authentication, directly addressing the unauthenticated privileged-function access that constitutes the vulnerability.

References