Critical Authentication Bypass in Hirschmann HiOS and HiSecOS Grants Admin Access
Hirschmann disclosed a critical vulnerability, tracked as CVE-2018-25236, in the HTTP(S) management module of multiple HiOS and HiSecOS product lines, including RSP, RSPE, RSPS, RSPL, MSP, EES, EESX, GRS, OS, RED, and EAGLE. The flaw allows an unauthenticated remote attacker to send specially crafted HTTP requests and gain administrative access to affected devices without valid credentials.
The issue stems from improper authentication handling that can cause a new request to inherit the authentication state and privileges of a previously authenticated user. Belgium's Centre for Cybersecurity (CCB) issued a warning describing the bug as critical and urged organizations using affected Hirschmann industrial networking products to patch immediately to prevent unauthorized takeover of device management interfaces.
Timeline
Apr 7, 2026
Belgium CCB issues warning to patch affected Hirschmann products
The Centre for Cybersecurity Belgium published an advisory warning that CVE-2018-25236 affects multiple Hirschmann HiOS/HiSecOS products and enables unauthenticated remote administrative access. The agency urged organizations to patch affected systems immediately.
Apr 3, 2026
Hirschmann discloses CVE-2018-25236 authentication bypass flaw
Hirschmann disclosed a critical authentication bypass vulnerability in the HTTP(S) management module affecting multiple HiOS and HiSecOS product lines, including RSP, RSPE, RSPS, RSPL, MSP, EES, EESX, GRS, OS, RED, and EAGLE. The flaw allows unauthenticated remote attackers to gain administrative access by sending crafted HTTP requests that inherit a previously authenticated user's privileges.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Hirschmann Industrial HiVision Flaws Enable RCE via Auth Bypass and Path Hijacking
Belden disclosed two high-severity vulnerabilities in **Hirschmann Industrial HiVision** that can lead to arbitrary code execution. The more serious issue, tracked as `CVE-2017-20237`, is an authentication bypass in the product's master service that affects versions prior to **06.0.07** and **07.0.03**. An unauthenticated remote attacker can invoke exposed interface methods and execute commands with administrative privileges on the underlying operating system, creating a full remote code execution path with high impact to confidentiality, integrity, and availability. A second flaw, `CVE-2022-4987`, affects **08.1.03** prior to **08.1.04** and **08.2.00** and stems from improper sanitization of paths used to launch user-configured external applications. In that scenario, a low-privileged local attacker can place a malicious binary in the execution path so it runs instead of the intended program, potentially gaining elevated execution depending on deployment context. The vulnerabilities were documented in Belden security guidance and VulnCheck advisories, highlighting both remote and local routes to code execution in Industrial HiVision deployments.
1 months ago
Belden HiSecOS Flaw Lets Authenticated Users Gain Administrator Access
Belden disclosed a high-severity privilege-escalation vulnerability, **CVE-2023-7342**, in the **HiSecOS** web server that allows authenticated users with **operator** or **auditor** roles to obtain **administrator** privileges by sending specially crafted packets. Successful exploitation can give an attacker full administrative control of the affected device, raising the risk of unauthorized configuration changes and broader compromise in environments that rely on the platform. A related CVE entry, **CVE-2023-7343**, was published alongside the advisory stream and references a Belden security bulletin, but the available record appears to repeat the HiSecOS privilege-escalation details rather than clearly describing the separate issue named in its title. Both entries were published with **CVSS v3.1** and **CVSS v4.0** scoring metadata and **CWE-269** classification, indicating Belden customers should review the vendor advisories closely to identify affected products and apply any recommended mitigations or updates.
1 months ago
Authentication Bypass Vulnerability in Siemens SIMATIC CP and SIPLUS ET 200SP Devices
A critical authentication bypass vulnerability, tracked as CVE-2025-40771 with a CVSS score of 9.8, has been discovered in Siemens SIMATIC CP and SIPLUS ET 200SP industrial communication modules. The flaw affects multiple device models, including SIMATIC CP 1542SP-1, CP 1542SP-1 IRC, CP 1543SP-1, as well as SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL, CP 1543SP-1 ISEC, and CP 1543SP-1 ISEC TX RAIL, specifically all versions prior to V2.4.24. The vulnerability arises from improper authentication of configuration connections, which allows unauthenticated remote attackers to gain access to sensitive configuration data on affected devices. This issue is particularly severe because it does not require any prior authentication, enabling attackers to exploit the flaw remotely without credentials. The vulnerability could be leveraged to compromise the integrity and confidentiality of industrial control systems that rely on these modules for network communication. Siemens has acknowledged the vulnerability and has released advisories to inform customers of the affected product versions. The flaw was reported by Siemens ProductCERT, and the company has urged users to update to the latest firmware version (V2.4.24 or later) to mitigate the risk. Exploitation of this vulnerability could allow attackers to alter device configurations, potentially disrupting industrial processes or enabling further attacks within operational technology environments. The vulnerability is considered critical due to the widespread use of these modules in industrial automation and the potential impact on critical infrastructure. Security researchers have highlighted the risk of remote exploitation, emphasizing the need for immediate patching and network segmentation to protect vulnerable devices. Organizations are advised to review their asset inventories to identify affected devices and prioritize remediation efforts. In addition to patching, Siemens recommends implementing network security best practices, such as restricting access to configuration interfaces and monitoring for unauthorized connection attempts. The disclosure of CVE-2025-40771 underscores the ongoing challenges in securing industrial control systems against remote attacks. The vulnerability was publicly disclosed in mid-October 2025, and security advisories have been disseminated to raise awareness among industrial operators. The incident highlights the importance of timely vulnerability management and the need for robust authentication mechanisms in critical infrastructure devices. Failure to address this vulnerability could result in significant operational disruptions and potential safety risks in industrial environments. The security community continues to monitor for signs of exploitation in the wild, and organizations are encouraged to stay informed about further updates from Siemens and relevant CERTs.
1 months ago