Home

Description

Hirschmann HiLCOS devices OpenBAT, WLC, BAT300, BAT54 prior to 8.80 and OpenBAT prior to 9.10 are shipped with identical default SSH and SSL keys that cannot be changed, allowing unauthenticated remote attackers to decrypt or intercept encrypted management communications. Attackers can perform man-in-the-middle attacks, impersonate devices, and expose sensitive information by leveraging the shared default cryptographic keys across multiple devices.

PUBLISHED Reserved 2026-04-03 | Published 2026-04-03 | Updated 2026-05-14 | Assigner VulnCheck




HIGH: 8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

HIGH: 8.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-321: Use of Hard-coded Cryptographic Key

Product status

Default status
affected

>= 9.10 (custom)
unaffected

Any version
affected

Any version
affected

Any version
affected

References

assets.belden.com/...eys-HiLCOS-Hirschmann-BSECV-2015-12.pdf vendor-advisory

www.vulncheck.com/...cos-hard-coded-credentials-ssh-ssl-keys third-party-advisory

cve.org (CVE-2015-10148)

nvd.nist.gov (CVE-2015-10148)

Download JSON