Connect with us

Hi, what are you looking for?



Netgear Vulnerabilities Lead to Credentials Leak, Privilege Escalation

Vulnerabilities in Netgear network management system allow attackers to retrieve cleartext passwords and escalate privileges.

Vulnerabilities in Netgear’s NMS300 ProSAFE network management system allow attackers to retrieve cleartext credentials and escalate privileges, cybersecurity firm Flashpoint reports.

The tool provides users with a web-based interface for network device management. It uses TCP port 8080 for communication and supports administrator accounts and lower-privileged operator and observer account roles.

A user with an observer account can only view and monitor network functions, but the issues that Flashpoint identified in the product allow an attacker to gain administrative access to devices, starting from this low-privileged role.

Netgear NMS300, Flashpoint explains, allows administrators to manage user accounts from a ‘User management’ tab, where an observer account can only view information about other users, such as username, account type, contact details, and more.

What Flashpoint discovered was that, when the ‘User management’ tab is accessed, the system sends two requests, one to initiate the page and another to retrieve user information to populate the page.

The first identified vulnerability exists because, with the second request, an SQL query is made in the background to retrieve database information, and the response contains every user account stored in the database.

“The problem is that as everything stored in the database table is returned, this includes the cleartext passwords for every single account. While this information is not displayed on the page to the user, it can be obtained by simply viewing the JSON data in the HTTP response,” Flashpoint explains.

Advertisement. Scroll to continue reading.

By exploiting this vulnerability, an attacker with access to a low-privileged account can retrieve the credentials for administrator accounts and then log into the web-based management interface using those credentials, which would provide them with access to all managed devices.

The second issue, the cybersecurity firm explains, exists because, when a user with an observer account accesses the ‘User management’ tab, the system performs insufficient checks to determine the permissions that user has.

Because these checks “do not restrict the individual HTTP requests sent to the system”, an attacker can bypass restrictions by sending crafted requests to change the password of an administrator account and then log in to the system using the modified credentials, gaining administrative access.

Additionally, Flashpoint says, the Netgear ProSAFE network management system uses multiple third-party components that contain known vulnerabilities, including older versions of MySQL Server, Apache Log4J, and Apache Tomcat.

Flashpoint says it has contacted Netgear’s support team to request a direct contact for reporting the identified vulnerabilities, but that the vendor failed to provide such a contact, instead directing the researchers to toll-free numbers to the business support team.

“The vendor failed to provide a viable security contact, which prevented coordination of the vulnerability report. We are currently not aware of a fix. […] Customers should consider not using this product in production environments or alternatively restrict any untrusted access to systems running the product,” Flashpoint says.

SecurityWeek has emailed Netgear for an official statement and will update this article as soon as a reply arrives.

Related: Netgear Neutralizes Pwn2Own Exploits With Last-Minute Nighthawk Router Patches

Related: Game Acceleration Module Vulnerability Exposes Netgear Routers to Attacks

Related: Multiple Vulnerabilities Impact Netgear Nighthawk R6700 Routers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.