6.5

CVE-2020-17409

This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR R6120, R6080, R6260, R6220, R6020, JNR3210, and WNR2020 routers with firmware 1.0.66. Authentication is not required to exploit this vulnerability. The specific flaw exists within the mini_httpd service, which listens on TCP port 80 by default. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-10754.

Data is provided by the National Vulnerability Database (NVD)
NetgearR6020 Firmware Version < 1.0.0.44
   NetgearR6020 Version-
NetgearR6080 Firmware Version < 1.0.0.44
   NetgearR6080 Version-
NetgearR6120 Firmware Version < 1.0.0.70
   NetgearR6120 Version-
NetgearR6220 Firmware Version < 1.1.0.100
   NetgearR6220 Version-
NetgearR6230 Firmware Version < 1.1.0.100
   NetgearR6230 Version-
NetgearR6260 Firmware Version < 1.1.0.76
   NetgearR6260 Version-
NetgearR6330 Firmware Version < 1.1.0.76
   NetgearR6330 Version-
NetgearR6350 Firmware Version < 1.1.0.76
   NetgearR6350 Version-
NetgearR6850 Firmware Version < 1.1.0.76
   NetgearR6850 Version-
NetgearJnr3210 Firmware Version-
   NetgearJnr3210 Version-
NetgearWnr2020 Firmware Version-
   NetgearWnr2020 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.3% 0.501
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 3.3 6.5 2.9
AV:A/AC:L/Au:N/C:P/I:N/A:N
zdi-disclosures@trendmicro.com 6.5 2.8 3.6
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-288 Authentication Bypass Using an Alternate Path or Channel

The product requires authentication, but the product has an alternate path or channel that does not require authentication.