CVE-2026-40852 | THREATINT

Description

A highly authenticated attacker can alter the config generator injecting a payload into future created configurations. The device is not correctly checking this configuration value before passing it to an system execute leading to code execution. This can result in a total loss of confidentiality, integrity and availability.

PUBLISHED Reserved 2026-04-15 | Published 2026-05-27 | Updated 2026-05-27 | Assigner CERTVDE

HIGH: 7.2CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status

unaffected

0.0.0 (semver)

affected

Default status

unaffected

0.0.0 (semver)

affected

Default status

unaffected

8.4.4

affected

Default status

unaffected

3.0.2

affected

Default status

unaffected

0.0.0 (semver)

affected

Default status

unaffected

0.0.0 (semver)

affected

Default status

unaffected

8.4.4

affected

Default status

unaffected

3.0.2

affected

Credits

Moritz Abrell from SySS GmbH finder

Christian Zäske from SySS GmbH finder

References

www.certvde.com/en/advisories/VDE-2026-054/

cve.org (CVE-2026-40852)

nvd.nist.gov (CVE-2026-40852)

Download JSON