CVE-2020-26919
Published: 09 October 2020
Summary
CVE-2020-26919 is a critical-severity an unspecified weakness vulnerability in Netgear Jgs516Pe Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-14 (Permitted Actions Without Identification or Authentication).
Deeper analysis
NETGEAR JGS516PE devices running firmware versions prior to 2.6.0.43 contain a missing function-level access control vulnerability. The flaw is rated 9.8 under CVSS 3.1 with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and is tracked under NVD-CWE-Other.
An unauthenticated attacker with network access can invoke privileged functions directly, resulting in complete compromise of device confidentiality, integrity, and availability without any user interaction or credentials.
The vendor advisory recommends upgrading to firmware 2.6.0.43 or later to restore proper access controls. The vulnerability appears in CISA's catalog of known exploited vulnerabilities, indicating confirmed in-the-wild exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-19449
Vulnerability details
NETGEAR JGS516PE devices before 2.6.0.43 are affected by lack of access control at the function level.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces function-level access control checks that the CVE shows are absent, blocking unauthenticated invocation of privileged device functions.
Requires that only the minimum privileges needed are granted to each function, preventing the blanket exposure of administrative operations described in the CVE.
Explicitly identifies and limits actions permitted without authentication, directly addressing the unauthenticated privileged-function access that constitutes the vulnerability.