CVE-2020-35226
📋 TL;DR
CVE-2020-35226 allows unauthenticated attackers to modify DHCP configuration on affected NETGEAR switches. This vulnerability enables unauthorized network changes without credentials. It affects NETGEAR JGS516PE and GS116Ev2 switches running vulnerable firmware.
💻 Affected Systems
- NETGEAR JGS516PE
- NETGEAR GS116Ev2
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could redirect all DHCP traffic to malicious servers, enabling man-in-the-middle attacks, credential theft, and network disruption.
Likely Case
Unauthorized DHCP server configuration leading to IP address conflicts, network instability, and potential traffic interception.
If Mitigated
Limited impact if switches are isolated from untrusted networks and proper network segmentation is implemented.
🎯 Exploit Status
Exploitation requires sending specific HTTP POST requests to the switch management interface. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.6.0.48 or later
Vendor Advisory: https://kb.netgear.com/000062641/Security-Advisory-for-Unauthenticated-DHCP-Configuration-Change-on-Some-Switches-PSV-2020-0218
Restart Required: Yes
Instructions:
1. Download latest firmware from NETGEAR support site. 2. Log into switch web interface. 3. Navigate to Maintenance > Firmware Upgrade. 4. Upload and install new firmware. 5. Reboot switch.
🔧 Temporary Workarounds
Restrict Management Interface Access
allLimit access to switch management interface to trusted IP addresses only
Configure ACLs to restrict HTTP/HTTPS access to management IP
Disable Web Management
allUse CLI management only if web interface not required
no ip http server
no ip http secure-server
🧯 If You Can't Patch
- Isolate switches on dedicated management VLAN with strict access controls
- Implement network monitoring for unauthorized DHCP configuration changes
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface: System > Information > Firmware VersionCheck Version:
show version (via CLI) or check web interface System Information pageVerify Fix Applied:
Confirm firmware version is v2.6.0.48 or later and test DHCP configuration changes require authentication📡 Detection & Monitoring
Log Indicators:
- Unauthenticated POST requests to /DHCPCfg.html
- Unexpected DHCP configuration changes in system logs
Network Indicators:
- Unusual HTTP traffic to switch management interface from unauthorized sources
- Multiple DHCP servers responding on network
SIEM Query:
source_ip NOT IN trusted_networks AND dest_port=80 AND uri_path="/DHCPCfg.html" AND http_method="POST"