CVE-2025-15620: HiOS Switch Platform Denial-of-Service via Web Interface
HiOS Switch Platform versions 09.1.00 through 09.4.04 and 10.0.00 through 10.3.00 contain a denial-of-service vulnerability in the web interface that allows remote attackers to reboot the affected device by sending a malicious HTTP GET request to a specific endpoint. Attackers can trigger an uncontrolled reboot condition through crafted HTTP requests to cause service disruption and unavailability of the switch.
Security readout for executives and security teams
Plain-English summary
This vulnerability lets a remote, unauthenticated attacker reboot affected Hirschmann HiOS switches through the web interface. For networks that depend on these switches, repeated reboots could interrupt connectivity, operations, or industrial processes. The provided sources rate it critical because availability impact is high and exploitation requires network access only.
Executive priority
Treat this as urgent for operationally important networks. The main business risk is service disruption rather than data theft. Prioritize internet-reachable, partner-reachable, and OT-adjacent switch management interfaces first, then complete firmware remediation according to Belden guidance.
Technical view
CVE-2025-15620 is a denial-of-service issue in Belden Hirschmann HiOS Switch Platform versions 09.1.00 through 09.4.04 and 10.0.00 through 10.3.00. A crafted HTTP GET request to the web interface can trigger an uncontrolled reboot. The record maps this to CWE-306 and CVSS 4.0 score 9.2.
Likely exposure
Exposure is most likely where affected HiOS switches are running vulnerable versions and their web management interface is reachable from user, partner, internet, or other untrusted networks. Internal-only exposure still matters because the attack is unauthenticated and affects network availability.
Exploitation context
The provided bundle says remote attackers can reboot affected devices with a malicious HTTP GET request. It does not show CISA KEV listing or cited evidence of active exploitation. No public exploit status beyond the advisory description is established here.
Researcher notes
Evidence supports unauthenticated network-triggered reboot via the web interface, but the bundle does not include the endpoint name, fixed versions, exploit availability, or observed exploitation. Avoid assuming confidentiality or integrity impact; the CVSS vector indicates availability impact only.
Mitigation direction
Check Belden guidance for fixed firmware or vendor-supported remediation.
Restrict web management access to trusted administrative networks only.
Block untrusted HTTP access to switch management interfaces.
Prioritize remediation for switches supporting critical operations or OT segments.
Monitor for unexpected switch reboots and management-interface access anomalies.
Validation and detection
Inventory Hirschmann HiOS switches and record exact firmware versions.
Confirm whether versions fall in 09.1.00-09.4.04 or 10.0.00-10.3.00.
Map where each web management interface is reachable from.
Review device uptime, reboot logs, and management access logs.
Verify vendor advisory status before declaring remediation complete.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-306: Credential and account abuse lookup
Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-306 · source CWE mapping
Missing Authentication for Critical Function
Missing Authentication for Critical Function represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.