CVE-2020-35223
📋 TL;DR
This vulnerability allows attackers to bypass CSRF protection in NETGEAR JGS516PE and GS116Ev2 switches by omitting the CSRF token parameter in HTTP requests. This could enable unauthorized administrative actions on affected devices. Organizations using these specific NETGEAR switch models with vulnerable firmware are affected.
💻 Affected Systems
- NETGEAR JGS516PE
- NETGEAR GS116Ev2
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of network switch configuration, enabling VLAN hopping, traffic interception, network segmentation bypass, or device bricking.
Likely Case
Unauthorized configuration changes, network disruption, or credential theft through crafted admin panel requests.
If Mitigated
Limited impact if network segmentation isolates management interfaces and strong authentication is enforced.
🎯 Exploit Status
Exploitation requires network access to management interface but no authentication. CSRF token omission is trivial to implement in attack scripts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.6.0.48 or later
Vendor Advisory: https://kb.netgear.com/000062641/Security-Advisory-for-Cross-Site-Request-Forgery-on-Some-Switches-PSV-2020-0223
Restart Required: Yes
Instructions:
1. Download latest firmware from NETGEAR support site. 2. Log into switch web interface. 3. Navigate to Maintenance > Firmware Upgrade. 4. Upload new firmware file. 5. Wait for upgrade to complete and device to reboot.
🔧 Temporary Workarounds
Disable web administration interface
allDisable HTTP/HTTPS management access and use CLI or other management methods
CLI: configure terminal
CLI: no ip http server
CLI: no ip http secure-server
Network segmentation
allIsolate switch management interface to dedicated VLAN with strict access controls
🧯 If You Can't Patch
- Implement strict network segmentation to isolate management interfaces
- Deploy web application firewall with CSRF protection rules
- Monitor for unauthorized configuration changes
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface (System > Information) or CLI (show version). If version is exactly v2.6.0.43, device is vulnerable.Check Version:
CLI: show version | include SoftwareVerify Fix Applied:
Verify firmware version is v2.6.0.48 or later. Test CSRF protection by attempting to submit admin actions without valid token.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to admin endpoints missing CSRF tokens
- Unexpected configuration changes in switch logs
- Multiple failed login attempts followed by successful admin actions
Network Indicators:
- HTTP POST requests to /login.cgi or other admin endpoints without referrer headers
- Traffic from unexpected sources to switch management IP on port 80/443
SIEM Query:
source="switch_logs" AND (uri_path="/login.cgi" OR uri_path="/apply.cgi") AND NOT csrf_token=*