CVE-2016-1555

Published: Apr 21, 2017Modified: Apr 22, 2026CISA KEV

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before 3.5.5.0 allow remote attackers to execute arbitrary commands.

Affected (7)

Products: Netgear: Wnap320 Firmware, Wndap350 Firmware, Wndap360 Firmware, Wndap210v2 Firmware, Wn604 Firmware, Wndap660 Firmware, Wn802tv2 Firmware

7 products

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netgear Wnap320 Firmware	Up to 3.0.5.0

Running on/with	Platform Versions
Netgear Wnap320	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netgear Wndap350 Firmware	Up to 3.0.5.0

Running on/with	Platform Versions
Netgear Wndap350	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netgear Wndap360 Firmware	Up to 3.0.5.0

Running on/with	Platform Versions
Netgear Wndap360	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netgear Wndap210v2 Firmware	Up to 3.0.5.0

Running on/with	Platform Versions
Netgear Wndap210v2	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netgear Wn604 Firmware	Up to 3.3.2

Running on/with	Platform Versions
Netgear Wn604	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netgear Wndap660 Firmware	Up to 3.0.5.0

Running on/with	Platform Versions
Netgear Wndap660	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netgear Wn802tv2 Firmware	Up to 3.0.5.0

Running on/with	Platform Versions
Netgear Wn802tv2	All versions

Related CWEs

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (9)

http://packetstormsecurity.com/files/135956/D-Link-Netgear-FIRMADYNE-Command-Injection-Buffer-Overflow.html

Source: cret@cert.org

Third Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2016/Feb/112

Source: cret@cert.org

Mailing ListThird Party Advisory

https://kb.netgear.com/30480/CVE-2016-1555-Notification?cid=wmt_netgear_organic

Source: cret@cert.org

PatchVendor Advisory

https://www.exploit-db.com/exploits/45909/

Source: cret@cert.org

ExploitThird Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/135956/D-Link-Netgear-FIRMADYNE-Command-Injection-Buffer-Overflow.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2016/Feb/112

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://kb.netgear.com/30480/CVE-2016-1555-Notification?cid=wmt_netgear_organic

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://www.exploit-db.com/exploits/45909/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-1555

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.