CVE-2026-24789
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
An unprotected API endpoint allows an attacker to remotely change the device password without providing authentication.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ZLAN Information Technology Co. | ZLAN5143D | v1.600 | affected |
Weaknesses
- CWE-306: CWE-306
Workarounds
ZLAN Information Technology Co. did not respond to CISA's attempts at coordination. Users of ZLAN5143D devices are encouraged to contact ZLAN and keep their systems up to date. https://www.zlmcu.com/en/contatct_us.htm
https://www.zlmcu.com/en/contatct_us.htm
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-041-02
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-041-02.json
- https://www.zlmcu.com/en/contact_us.htm
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.