CVE-2018-25236

Summary

Hirschmann HiOS and HiSecOS products RSP, RSPE, RSPS, RSPL, MSP, EES, EESX, GRS, OS, RED, EAGLE contain an authentication bypass vulnerability in the HTTP(S) management module that allows unauthenticated remote attackers to gain administrative access by crafting specially formed HTTP requests. Attackers can exploit improper authentication handling to obtain the authentication status and privileges of a previously authenticated user without providing valid credentials.

Affected Software

VendorProductVersion RangeStatus
BeldenHirschmann HiOS0 <= 05.07affected
BeldenHirschmann HiOS0 <= 06.1.04affected
BeldenHirschmann HiOS0 <= 06.2.00affected
BeldenHirschmann HiOS06.1.05unaffected
BeldenHirschmann HiOS07.0.00unaffected
BeldenHirschmann HiOS03.1.00unaffected
BeldenHirschmann HiSecOS EAGLE0 <= 03.00.02affected
BeldenHirschmann HiSecOS EAGLE03.0.03unaffected

Weaknesses

  • CWE-287: Improper Authentication (CWE-287)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References