CVE-2018-25236: Hirschmann HiOS HiSecOS Authentication Bypass via HTTP Management
Hirschmann HiOS and HiSecOS products RSP, RSPE, RSPS, RSPL, MSP, EES, EESX, GRS, OS, RED, EAGLE contain an authentication bypass vulnerability in the HTTP(S) management module that allows unauthenticated remote attackers to gain administrative access by crafting specially formed HTTP requests. Attackers can exploit improper authentication handling to obtain the authentication status and privileges of a previously authenticated user without providing valid credentials.
Security readout for executives and security teams
Plain-English summary
This flaw can let an unauthenticated remote attacker gain administrative access to affected Hirschmann industrial network devices through the HTTP(S) management interface. For executives, the business concern is potential loss of control over critical network infrastructure, with confidentiality, integrity, and availability all rated high impact.
Executive priority
Treat this as urgent for industrial or critical network environments, especially where management interfaces are reachable beyond a tightly controlled admin network. Prioritize inventory, exposure reduction, and vendor-confirmed remediation.
Technical view
CVE-2018-25236 is an authentication bypass in the HTTP(S) management module of Belden Hirschmann HiOS and HiSecOS products. Improper authentication handling may let crafted HTTP requests inherit the authentication status and privileges of a previously authenticated user without valid credentials. The CVSS 3.1 score is 9.8 critical.
Likely exposure
Exposure is most relevant where affected Hirschmann HiOS or HiSecOS EAGLE devices have HTTP(S) management reachable from untrusted networks. The provided version data is incomplete or ambiguous, so inventory confirmation against Belden guidance is required.
Exploitation context
The source bundle describes remote unauthenticated administrative access with low attack complexity and no user interaction. It does not provide KEV evidence or other cited evidence of active exploitation, so active exploitation should not be claimed from this bundle alone.
Researcher notes
The affected product/version list in the bundle is not sufficiently clear to determine every vulnerable release. Avoid assuming exploit availability or fixed versions beyond the cited advisory. Focus validation on product identity, firmware, and HTTP(S) management reachability.
Mitigation direction
Review the Belden advisory for exact affected and fixed firmware guidance.
Identify Hirschmann HiOS and HiSecOS EAGLE devices in the environment.
Restrict HTTP(S) management access to trusted administrative networks.
Disable unnecessary web management exposure where operations allow.
Prioritize remediation for devices reachable from enterprise or external networks.
Validation and detection
Compare device models and firmware versions against the Belden advisory.
Confirm whether HTTP(S) management is enabled on each device.
Verify management interfaces are not reachable from untrusted networks.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-287: Credential and account abuse lookup
Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
3Timeline events
1ADP providers
3Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-287 · source CWE mapping
Improper Authentication
Improper Authentication represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.