CVE-2019-17373
high-risk
Published 2019-10-09
Certain NETGEAR devices allow unauthenticated access to critical .cgi and .htm pages via a substring ending with .jpg, such as by appending ?x=1.jpg to a URL. This affects MBR1515, MBR1516, DGN2200, DGN2200M, DGND3700, WNR2000v2, WNDR3300, WNDR3400, WNR3500, and WNR834Bv2.
Do I need to act?
-
0.93% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (10)
Mbr1515 Firmware
Mbr1516 Firmware
Dgn2200M Firmware
Dgnd3700 Firmware
Wnr2000V2 Firmware
Wndr3300 Firmware
Wnr3500 Firmware
Wnr834Bv2 Firmware
Affected Vendors
References (2)
Third Party Advisory
https://github.com/zer0yu/CVE_Request/blob/master/netgear/Netgear_web_interface_...
Third Party Advisory
https://github.com/zer0yu/CVE_Request/blob/master/netgear/Netgear_web_interface_...
51
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
3/34 · Minimal
Exposure
16/34 · Moderate