Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

NETGEAR Patches Severe Vulnerabilities in Business Switches

NETGEAR has released patches to address severe vulnerabilities in its business-grade smart switches that could lead to complete device takeover.

NETGEAR has released patches to address severe vulnerabilities in its business-grade smart switches that could lead to complete device takeover.

In an advisory published Friday, just before the Labor Day holiday weekend in the U.S., NETGEAR said the flaws affect twenty device models, but refrained from sharing any technical details on the resolved issues. No CVE identifiers have been issued for any of the vulnerabilities.

On Monday, however, security researcher Gynvael Coldwind, who identified and reported the bugs, published information on two of the flaws, both of which could provide an attacker with administrator access to a vulnerable device.

The first of the flaws, which Coldwind refers to as Demon’s Cries, is an authentication bypass that could result in an attacker changing various settings on the device – including the administrator password –, to completely compromise it.

For the vulnerability to work, however, the NETGEAR Smart Control Center (SCC Control) needs to be manually enabled – the feature is disabled by default.

The researcher explains that, when enabled, the sccd daemon allows for various configuration changes. On certain devices, however, an authentication requirement on “set” commands is not enforced, meaning that an attacker could change the admin password on the device without knowing the previous password.

Coldwind assesses the vulnerability with a CVSS score of 9.8, underlining that it has a severity rating of critical. NETGEAR, on the other hand, says that the bug has a CVSS score of 8.8, with a severity rating of high.

The second vulnerability, which the researcher refers to as Draconian Fear, could allow an attacker to hijack the session bootstrapping information of an administrator and gain full admin access.

For successful exploitation, the attacker needs to have the same IP as the administrator logging into the vulnerable device. The attacker would also need to win “a race condition with a 1-second window,” the researcher says.

The issue is that, when the administrator logs in, the browser sends login information in a set.cgi handler and then polls a get.cgi handler for the session ID, where “get.cgi relies only on the IP and a guessable 1-5 browser type number for verification whether the polling party is actually the same as the party that sent in the login information,” the researcher explains.

Thus, an attacker on the same IP as the admin can send multiple requests to get.cgi and retrieve session information. The bug is rated high severity, with a CVSS score of 7.8, the researcher says (Netgear assesses it with a CVSS score of 7.4).

Coldwind has published proof-of-concept code for both vulnerabilities, but has refrained from revealing technical details on a third severe issue, which he refers to as Seventh Inferno. Details on this vulnerability will be published on September 13.

Affected device models include GC108P/PP/Tv3, GS110TPP/TPv3/TUP, GS308T, GS310TP/TUP, GS716TP/TPP, GS724TPP/TPv2, GS728TPPv2/TPv2, GS750E, GS752TPP/TPv2, and MS510TXM/TXUP switches. Netgear has released firmware updates for all affected products.

Related: Critical, Exploitable Flaws in NETGEAR Router Firmware

Related: Unpatched Flaws in Netgear Business Switches Expose Organizations to Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet