Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a cross-site request forgery vulnerability that allows attackers to modify device configuration by exploiting missing CSRF protections in setup.cgi. Attackers can host malicious pages that submit forged requests using automatically-included HTTP Basic Authentication credentials to add RADIUS accounts, alter network settings, or trigger diagnostics.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
Active
User action required
Impact Assessment
Confidentiality
None
No data leak
Integrity
Low
Partial data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
Vulnerable Products 2
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Hereta Eth-Imc408m_Firmware
cpe:2.3:o:hereta:eth-imc408m_firmware:*:*:*:*:*:*:*:*
|
— |
<= 1.0.15
|
|
Hereta Eth-Imc408m
cpe:2.3:h:hereta:eth-imc408m:-:*:*:*:*:*:*:*
|
— | — |