CVE-2018-25236

CRITICAL

Hirschmann HiOS HiSecOS Authentication Bypass via HTTP Management

Title source: cna

Description

Hirschmann HiOS and HiSecOS products RSP, RSPE, RSPS, RSPL, MSP, EES, EESX, GRS, OS, RED, EAGLE contain an authentication bypass vulnerability in the HTTP(S) management module that allows unauthenticated remote attackers to gain administrative access by crafting specially formed HTTP requests. Attackers can exploit improper authentication handling to obtain the authentication status and privileges of a previously authenticated user without providing valid credentials.

References (2)

Core 2

Core References

https://www.vulncheck.com/advisories/hirschmann-hios-hisecos-authentication-bypass-via-http-management

Vendor Advisory vendor-advisory

https://assets.belden.com/m/52ecadbb5f1b0e04/original/Security-Bulletin-Web-Server-Authentication-Bypass-HiOS-HiSecOS-Hirschmann-BSECV-2018-05.pdf

Scores

CVSS v3 9.8

EPSS 0.0050

EPSS Percentile 39.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-287

Status published

Products (8)

Belden/Hirschmann HiOS < 05.07

Belden/Hirschmann HiOS < 06.1.04

Belden/Hirschmann HiOS < 06.2.00

Belden/Hirschmann HiOS 03.1.00

Belden/Hirschmann HiOS 06.1.05

Belden/Hirschmann HiOS 07.0.00

Belden/Hirschmann HiSecOS EAGLE < 03.00.02

Belden/Hirschmann HiSecOS EAGLE 03.0.03

Published Apr 03, 2026

Tracked Since Apr 04, 2026