CVE-2018-25236 | THREATINT

Description

Hirschmann HiOS and HiSecOS products RSP, RSPE, RSPS, RSPL, MSP, EES, EESX, GRS, OS, RED, EAGLE contain an authentication bypass vulnerability in the HTTP(S) management module that allows unauthenticated remote attackers to gain administrative access by crafting specially formed HTTP requests. Attackers can exploit improper authentication handling to obtain the authentication status and privileges of a previously authenticated user without providing valid credentials.

PUBLISHED Reserved 2026-04-03 | Published 2026-04-03 | Updated 2026-05-14 | Assigner VulnCheck

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

Improper Authentication (CWE-287)

Product status

Default status

unaffected

Any version

affected

Any version

affected

Any version

affected

06.1.05 (custom)

unaffected

07.0.00 (custom)

unaffected

03.1.00 (custom)

unaffected

Default status

unaffected

Any version

affected

03.0.03 (custom)

unaffected

References

assets.belden.com/...OS-HiSecOS-Hirschmann-BSECV-2018-05.pdf vendor-advisory

www.vulncheck.com/...thentication-bypass-via-http-management

cve.org (CVE-2018-25236)

nvd.nist.gov (CVE-2018-25236)

Download JSON