CVE-2025-27450

Summary

The Secure attribute is missing on multiple cookies provided by the MEAC300-FNADE4. An attacker can trick a user to establish an unencrypted HTTP connection to the server and intercept the request containing the PHPSESSID cookie.

Affected Software

VendorProductVersion RangeStatus
Endress+HauserEndress+Hauser MEAC300-FNADE40 <= <=0.16.0affected
Endress+HauserEndress+Hauser MEAC300-FNADE4>=0.17.0unaffected

Weaknesses

  • CWE-614: CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References