CVE-2020-26919

What is the NETGEAR JGS516PE?

The NETGEAR JGS516PE is a 16-port Gigabit Ethernet ProSAFE Plus Smart Managed Switch — a network layer-2 switch with a web-based management interface for configuring VLANs, QoS, port mirroring, and access control lists. ProSAFE Plus switches are designed for small to medium businesses that need managed switch features at SMB pricing. The web management interface is accessible over HTTP on the switch's IP address and is intended for administrator use only. Missing authentication or access control on management functions in a network switch is particularly severe because a compromised switch allows an attacker to manipulate network traffic at layer 2 — intercepting packets, altering VLAN configurations, enabling port mirroring to capture traffic, or disrupting network connectivity for all devices connected to the switch.

Overview

CVE-2020-26919 is a missing function level access control vulnerability in NETGEAR JGS516PE ProSAFE Plus managed switches that allows an unauthenticated remote attacker to access and execute administrative switch management functions without authentication. An attacker on the same network as the switch (or with access to its management interface) can read switch configuration, modify VLAN settings, port configurations, and access control lists, or disrupt network operations. NETGEAR released a firmware patch in October 2020. CISA added it to KEV in November 2021.

Affected Versions

Technical Details

• Root cause: Missing function level access control — the JGS516PE's web management interface exposes administrative functions (VLAN configuration, port settings, traffic monitoring, access control) via HTTP endpoints that do not properly validate whether the requesting user is authenticated; an attacker can send HTTP requests to these management endpoints directly, bypassing the login page entirely
• Network switch administrative access: Full administrative access to a managed network switch enables: reconfiguring VLANs to break network segmentation, enabling port mirroring to capture all traffic passing through the switch (packet interception), modifying port security and access control lists to allow unauthorized devices on the network, and disabling ports to cause targeted denial of service for specific network segments
• SMB deployment context: ProSAFE Plus switches are common in small and medium business environments where network management may not be rigidly secured — switches accessible from the broader internal LAN rather than a dedicated management VLAN are particularly exposed; an attacker with initial foothold on any internal system can exploit this to pivot and expand access
• Authentication bypass scope: Without requiring credentials, any system on the management network can issue switch administration commands; depending on the switch's network placement, this may include systems in guest WiFi networks, employee workstations, or any host with a route to the switch IP
• CVSS 9.8 (AV:N): The Network attack vector reflects that the switch's web interface is accessible over IP without physical access; in environments where the switch management interface is reachable from multiple network segments, this is effectively a network-accessible unauthenticated admin takeover

Discovery

Identified by security researchers and reported to NETGEAR. NETGEAR addressed the vulnerability with firmware 2.6.0.43 in October 2020. CISA's November 2021 KEV addition reflects confirmed exploitation of JGS516PE switches in the wild.

Exploitation Context

Network infrastructure devices like managed switches are attractive targets because compromising them provides deep network visibility and control without needing to compromise individual hosts. In SMB environments, ProSAFE Plus switches may be managed from general workstations rather than dedicated management systems, and their web interfaces may be accessible from broader network segments. An attacker who exploits CVE-2020-26919 can silently monitor network traffic via port mirroring, modify VLAN configurations to access otherwise-segmented network zones, or disrupt operations — all without leaving artifacts on host systems, making detection more difficult.

Remediation

1. Update JGS516PE firmware to version 2.6.0.43 or later — the primary fix for CVE-2020-26919; check NETGEAR support for the current firmware version
2. Restrict management interface access — place the switch management interface on a dedicated management VLAN accessible only from designated administrator workstations; never allow management interface access from guest networks or general employee LAN segments
3. Implement firewall rules or ACLs to limit which hosts can reach the switch's management IP on port 80/443
4. Change the default switch admin credentials and use a strong password — authentication bypass makes this secondary but important once patching restores authentication
5. Review switch port mirroring and VLAN configurations for unauthorized changes that may indicate past exploitation
6. Enable switch management audit logging where supported to detect future unauthorized access attempts