[Japanese]

JVNDB-2026-000018

Undocumented "TelnetEnable" functionality of End of Service NETGEAR products

Overview

Some end of service NETGEAR products provide "TelnetEnable" functionality, which allows a magic packet to activate telnet service on the box.
  • Inclusion of Undocumented Features or Chicken Bits (CWE-1242) - CVE-2026-24714
Misato Ito, Daichi Uezono, Ryu Kuki, Iwaki Miyamoto, Takayuki Sasaki, and Katsunari Yoshioka of Yokohama National University reported the issue on NETGEAR PR2000 to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.5 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None
Affected Products


NETGEAR
  • PR2000 firmware is reported to have "TelnetEnable" functionality.

According to the developer,
(1) PR2000 was not sold in Japan,
(2) all NETGEAR products currently supported (at the time of this writing) don't have "TelnetEnable" functionality,
(3) NETGEAR will not verify issues on obsolete (non-supported) products.
Impact

Telnet service may be activated by a magic packet sent to the LAN interface of the affected product.
Solution

[Stop using the products]
Stop using the end of service products, including NETGEAR PR2000.
Vendor Information

NETGEAR
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2026-24714
References

  1. JVN : JVN#46722282
Revision History

  • [2026/01/30]
      Web page was published

Date Public2026/01/30
Date First Published2026/01/30
Date Last Updated2026/01/30