LiveActive security incident?Get immediate response
CVE Record

CVE-2025-15620: HiOS Switch Platform Denial-of-Service via Web Interface

HiOS Switch Platform versions 09.1.00 through 09.4.04 and 10.0.00 through 10.3.00 contain a denial-of-service vulnerability in the web interface that allows remote attackers to reboot the affected device by sending a malicious HTTP GET request to a specific endpoint. Attackers can trigger an uncontrolled reboot condition through crafted HTTP requests to cause service disruption and unavailability of the switch.

CriticalCVSS 9.2Not KEV-listedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

This vulnerability lets a remote, unauthenticated attacker reboot affected Hirschmann HiOS switches through the web interface. For networks that depend on these switches, repeated reboots could interrupt connectivity, operations, or industrial processes. The provided sources rate it critical because availability impact is high and exploitation requires network access only.

Executive priority

Treat this as urgent for operationally important networks. The main business risk is service disruption rather than data theft. Prioritize internet-reachable, partner-reachable, and OT-adjacent switch management interfaces first, then complete firmware remediation according to Belden guidance.

Technical view

CVE-2025-15620 is a denial-of-service issue in Belden Hirschmann HiOS Switch Platform versions 09.1.00 through 09.4.04 and 10.0.00 through 10.3.00. A crafted HTTP GET request to the web interface can trigger an uncontrolled reboot. The record maps this to CWE-306 and CVSS 4.0 score 9.2.

Likely exposure

Exposure is most likely where affected HiOS switches are running vulnerable versions and their web management interface is reachable from user, partner, internet, or other untrusted networks. Internal-only exposure still matters because the attack is unauthenticated and affects network availability.

Exploitation context

The provided bundle says remote attackers can reboot affected devices with a malicious HTTP GET request. It does not show CISA KEV listing or cited evidence of active exploitation. No public exploit status beyond the advisory description is established here.

Researcher notes

Evidence supports unauthenticated network-triggered reboot via the web interface, but the bundle does not include the endpoint name, fixed versions, exploit availability, or observed exploitation. Avoid assuming confidentiality or integrity impact; the CVSS vector indicates availability impact only.

Mitigation direction

  • Check Belden guidance for fixed firmware or vendor-supported remediation.
  • Restrict web management access to trusted administrative networks only.
  • Block untrusted HTTP access to switch management interfaces.
  • Prioritize remediation for switches supporting critical operations or OT segments.
  • Monitor for unexpected switch reboots and management-interface access anomalies.

Validation and detection

  • Inventory Hirschmann HiOS switches and record exact firmware versions.
  • Confirm whether versions fall in 09.1.00-09.4.04 or 10.0.00-10.3.00.
  • Map where each web management interface is reachable from.
  • Review device uptime, reboot logs, and management access logs.
  • Verify vendor advisory status before declaring remediation complete.
Prepared
Confidence
high
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-306: Credential and account abuse lookup

Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2025-15620 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.2 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
3Timeline events
1ADP providers
3Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: partial

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.2CVSS 4.0CriticalCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:HVulnCheck
8.6CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H3.94VulnCheck

Vulnerability scoring details

Base CVSS 4.0 score

9.2Critical
CVSS 4.0 vector shape for CVE-2025-15620Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
BeldenHirschmann HiOS Switch Platform09.1.00, 10.0.00unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-306 · source CWE mapping

Missing Authentication for Critical Function

Missing Authentication for Critical Function represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.