Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
10 vulnerabilities by Digi International
CVE-2026-12948 (GCVE-0-2026-12948)
Vulnerability from nvd – Published: 2026-07-07 14:32 – Updated: 2026-07-07 14:56
VLAI
EPSS
VEX
Title
Stored Cross-Site Scripting (XSS)
Summary
A stored cross-site scripting (XSS) vulnerability in the web management interface of the Digi PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA allows a remote, authenticated administrator to inject script into certain system configuration fields. The script subsequently executes in the browser of a user who views the affected pages (CWE-79).
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
Assigner
References
1 reference
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Digi International | Digi PortServer TS |
Affected:
82000747_V1 , ≤ 82000747_AB
(custom)
|
|
| Digi International | Digi One SP |
Affected:
82000747_V1 , ≤ 82000747_AB
(custom)
|
|
| Digi International | Digi One SP IA |
Affected:
82000747_V1 , ≤ 82000747_AB
(custom)
|
|
| Digi International | Digi One IA |
Affected:
82000747_V1 , ≤ 82000747_AB
(custom)
|
Date Public
2026-07-07 14:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12948",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T14:56:16.795819Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T14:56:24.483Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Digi PortServer TS",
"vendor": "Digi International",
"versions": [
{
"lessThanOrEqual": "82000747_AB",
"status": "affected",
"version": "82000747_V1",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi One SP",
"vendor": "Digi International",
"versions": [
{
"lessThanOrEqual": "82000747_AB",
"status": "affected",
"version": "82000747_V1",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi One SP IA",
"vendor": "Digi International",
"versions": [
{
"lessThanOrEqual": "82000747_AB",
"status": "affected",
"version": "82000747_V1",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi One IA",
"vendor": "Digi International",
"versions": [
{
"lessThanOrEqual": "82000747_AB",
"status": "affected",
"version": "82000747_V1",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-07T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A stored cross-site scripting (XSS) vulnerability in the web management interface of the Digi PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA allows a remote, authenticated administrator to inject script into certain system configuration fields. The script subsequently executes in the browser of a user who views the affected pages (CWE-79)."
}
],
"value": "A stored cross-site scripting (XSS) vulnerability in the web management interface of the Digi PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA allows a remote, authenticated administrator to inject script into certain system configuration fields. The script subsequently executes in the browser of a user who views the affected pages (CWE-79)."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T14:32:43.977Z",
"orgId": "e8a6bb0b-e373-42b1-a5de-93e314325576",
"shortName": "Digi"
},
"references": [
{
"url": "https://www.digi.com/resources/security"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored Cross-Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "e8a6bb0b-e373-42b1-a5de-93e314325576",
"assignerShortName": "Digi",
"cveId": "CVE-2026-12948",
"datePublished": "2026-07-07T14:32:43.977Z",
"dateReserved": "2026-06-22T20:33:02.985Z",
"dateUpdated": "2026-07-07T14:56:24.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12352 (GCVE-0-2026-12352)
Vulnerability from nvd – Published: 2026-07-07 14:31 – Updated: 2026-07-07 14:56
VLAI
EPSS
VEX
Title
Incorrect Authorization
Summary
This vulnerability allows an unauthenticated actor to bypass authentication and gain access to restricted resources on the device.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.digi.com/resources/security | mitigationvendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Digi International | PortServer TS 1/2/4 |
Affected:
82000747_V1 , ≤ 82000747_AB
(custom)
|
|
| Digi International | Digi One SP / SP IA / IA |
Affected:
82000774-W , ≤ 93000459_AB
(custom)
|
Date Public
2026-07-07 14:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12352",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T14:56:42.626683Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T14:56:48.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PortServer TS 1/2/4",
"vendor": "Digi International",
"versions": [
{
"lessThanOrEqual": "82000747_AB",
"status": "affected",
"version": "82000747_V1",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi One SP / SP IA / IA",
"vendor": "Digi International",
"versions": [
{
"lessThanOrEqual": "93000459_AB",
"status": "affected",
"version": "82000774-W",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-07T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability allows an unauthenticated actor to bypass authentication and gain access to restricted resources on the device."
}
],
"value": "This vulnerability allows an unauthenticated actor to bypass authentication and gain access to restricted resources on the device."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T14:31:08.550Z",
"orgId": "e8a6bb0b-e373-42b1-a5de-93e314325576",
"shortName": "Digi"
},
"references": [
{
"tags": [
"mitigation",
"vendor-advisory"
],
"url": "https://www.digi.com/resources/security"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incorrect Authorization",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "e8a6bb0b-e373-42b1-a5de-93e314325576",
"assignerShortName": "Digi",
"cveId": "CVE-2026-12352",
"datePublished": "2026-07-07T14:31:08.550Z",
"dateReserved": "2026-06-15T21:08:54.168Z",
"dateUpdated": "2026-07-07T14:56:48.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-3659 (GCVE-0-2025-3659)
Vulnerability from nvd – Published: 2025-05-12 20:40 – Updated: 2025-05-12 22:06
VLAI
EPSS
VEX
Title
Improper authentication handling for Digi PortServer TS; Digi One SP, SP IA, IA; Digi One IAP
Summary
Improper authentication handling was identified in a set of HTTP POST requests affecting the following product families:
* Digi PortServer TS - prior to and including 82000747_AA, build date 06/17/2022
* Digi One SP/Digi One SP IA/Digi One IA - prior to and including 82000774_Z, build date 10/19/2020
* Digi One IAP – prior to and including 82000770 Z, build date 10/19/2020
A specially crafted POST request to the device’s web interface may allow an unauthenticated attacker to modify configuration settings.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
4 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Digi International | Digi PortServer TS |
Affected:
0 , ≤ 82000747_AA
(custom)
|
|
| Digi International | Digi One SP/Digi One SP IA/Digi One IA |
Affected:
0 , ≤ 82000774_Z
(custom)
|
|
| Digi International | Digi One IAP |
Affected:
0 , ≤ 82000770 Z
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3659",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-12T21:43:33.232090Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T22:06:36.712Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Digi PortServer TS",
"vendor": "Digi International",
"versions": [
{
"lessThanOrEqual": "82000747_AA",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Digi One SP/Digi One SP IA/Digi One IA",
"vendor": "Digi International",
"versions": [
{
"lessThanOrEqual": "82000774_Z",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Digi One IAP",
"vendor": "Digi International",
"versions": [
{
"lessThanOrEqual": "82000770 Z",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper authentication handling was identified in a set of HTTP POST requests affecting the following product families: \u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003eDigi PortServer TS - prior to and including 82000747_AA, build date 06/17/2022\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eDigi One SP/Digi One SP IA/Digi One IA - prior to and including 82000774_Z, build date 10/19/2020\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eDigi One IAP \u2013 prior to and including 82000770 Z, build date 10/19/2020\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eA specially crafted POST request to the device\u2019s web interface may allow an unauthenticated attacker to modify configuration settings.\u003c/p\u003e"
}
],
"value": "Improper authentication handling was identified in a set of HTTP POST requests affecting the following product families: \n\n * Digi PortServer TS - prior to and including 82000747_AA, build date 06/17/2022\n\n\n * Digi One SP/Digi One SP IA/Digi One IA - prior to and including 82000774_Z, build date 10/19/2020\n\n\n * Digi One IAP \u2013 prior to and including 82000770 Z, build date 10/19/2020\n\n\n\n\nA specially crafted POST request to the device\u2019s web interface may allow an unauthenticated attacker to modify configuration settings."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T20:40:03.567Z",
"orgId": "e8a6bb0b-e373-42b1-a5de-93e314325576",
"shortName": "Digi"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://hub.digi.com/support/products/infrastructure-management/digi-portserver-ts/"
},
{
"tags": [
"patch"
],
"url": "https://hub.digi.com/support/products/infrastructure-management/digi-one-sp-ia/"
},
{
"tags": [
"patch"
],
"url": "https://hub.digi.com/support/products/infrastructure-management/digi-one-iap-haz/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.digi.com/getattachment/Resources/Security/Alerts/Improper-authentication-handling-for-Digi-PortServ/improper-authentication-handling.pdf"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Improper authentication handling for Digi PortServer TS; Digi One SP, SP IA, IA; Digi One IAP",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e8a6bb0b-e373-42b1-a5de-93e314325576",
"assignerShortName": "Digi",
"cveId": "CVE-2025-3659",
"datePublished": "2025-05-12T20:40:03.567Z",
"dateReserved": "2025-04-15T19:04:32.817Z",
"dateUpdated": "2025-05-12T22:06:36.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4299 (GCVE-0-2023-4299)
Vulnerability from nvd – Published: 2023-08-31 20:45 – Updated: 2025-01-16 21:30
VLAI
EPSS
VEX
Title
Digi RealPort Protocol Use of Password Hash Instead of Password for Authentication
Summary
Digi RealPort Protocol is vulnerable to a replay attack that may allow an attacker to bypass authentication to access connected equipment.
Severity
9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
23 products
Date Public
2023-08-31 20:29
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:24:04.616Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-04"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.digi.com/getattachment/resources/security/alerts/realport-cves/Dragos-Disclosure-Statement.pdf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4299",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T21:20:30.564576Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T21:30:37.810Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Digi RealPort",
"vendor": "Digi International ",
"versions": [
{
"lessThanOrEqual": "4.8.488.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "Digi RealPort",
"vendor": "Digi International ",
"versions": [
{
"lessThanOrEqual": "1.9-40",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi ConnectPort TS 8/16",
"vendor": "Digi International ",
"versions": [
{
"lessThan": "2.26.2.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi Passport Console Server",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi ConnectPort LTS 8/16/32",
"vendor": "Digi International ",
"versions": [
{
"lessThan": "1.4.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi CM Console Server",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi PortServer TS",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi PortServer TS MEI",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi PortServer TS MEI Hardened",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi PortServer TS M MEI",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi PortServer TS P MEI",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi One IAP Family",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi One IA",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi One SP IA",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "\u200bDigi One SP",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi WR31",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi WR11 XT",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi WR44 R",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi WR21",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi Connect ES",
"vendor": "Digi International ",
"versions": [
{
"lessThan": "2.26.2.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi Connect SP",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi 6350-SR",
"vendor": "Digi International ",
"versions": [
{
"status": "unaffected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi ConnectCore 8X products",
"vendor": "Digi International ",
"versions": [
{
"status": "unaffected",
"version": "all versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Reid Wightman of Dragos, Inc reported this vulnerability to Digi International."
}
],
"datePublic": "2023-08-31T20:29:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDigi RealPort Protocol is vulnerable to a replay attack that may allow an attacker to bypass authentication to access connected equipment.\u003c/span\u003e\n\n"
}
],
"value": "\nDigi RealPort Protocol is vulnerable to a replay attack that may allow an attacker to bypass authentication to access connected equipment.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-836",
"description": "CWE-836",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-31T20:45:43.866Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-04"
},
{
"url": "https://www.digi.com/getattachment/resources/security/alerts/realport-cves/Dragos-Disclosure-Statement.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cp\u003eDigi International recommends users acquire and install patches that they have made available for the following products:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u200bRealPort software for Windows: Fixed in 4.10.490\u003c/li\u003e\u003cli\u003e\u200bDigi ConnectPort TS 8/16: Fixed in firmware version 2.26.2.4\u003c/li\u003e\u003cli\u003e\u200bDigi ConnectPort LTS 8/16/32: Fixed in version 1.4.9\u003c/li\u003e\u003cli\u003e\u200bDigi Connect ES: Fixed in firmware version 2.26.2.4\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u200bFor more information, see the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.digi.com/getattachment/resources/security/alerts/realport-cves/Dragos-Disclosure-Statement.pdf\"\u003ecustomer notification document\u003c/a\u003e\u0026nbsp;published by Digi International.\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "\nDigi International recommends users acquire and install patches that they have made available for the following products:\n\n * \u200bRealPort software for Windows: Fixed in 4.10.490\n * \u200bDigi ConnectPort TS 8/16: Fixed in firmware version 2.26.2.4\n * \u200bDigi ConnectPort LTS 8/16/32: Fixed in version 1.4.9\n * \u200bDigi Connect ES: Fixed in firmware version 2.26.2.4\n\n\n\u200bFor more information, see the customer notification document https://www.digi.com/getattachment/resources/security/alerts/realport-cves/Dragos-Disclosure-Statement.pdf \u00a0published by Digi International.\n\n\n\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Digi RealPort Protocol Use of Password Hash Instead of Password for Authentication",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cp\u003eDragos recommends restricting access to Digi devices on TCP/771 (default) or TCP/1027 (if encryption is enabled, this is the default port). Only allow the workstations which initiate RealPort connections to communicate to the field equipment on those ports. Note that most of Digi\u0027s devices allow you to change the setting for which TCP port the RealPort service runs on, so end users should consult their device configuration and restrict access to the configured port if it is not the default.\u003c/p\u003e\u003cp\u003e\u200bIf using the system in \u0027reverse\u0027 mode, where the Digi device calls back to the Windows or Linux workstation, then Dragos recommends restricting access to the workstation on TCP/771 or TCP/1027 to known Digi RealPort devices on your network. This port may be configured by end users, so consult the workstation and device configurations to ensure coverage.\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "\nDragos recommends restricting access to Digi devices on TCP/771 (default) or TCP/1027 (if encryption is enabled, this is the default port). Only allow the workstations which initiate RealPort connections to communicate to the field equipment on those ports. Note that most of Digi\u0027s devices allow you to change the setting for which TCP port the RealPort service runs on, so end users should consult their device configuration and restrict access to the configured port if it is not the default.\n\n\u200bIf using the system in \u0027reverse\u0027 mode, where the Digi device calls back to the Windows or Linux workstation, then Dragos recommends restricting access to the workstation on TCP/771 or TCP/1027 to known Digi RealPort devices on your network. This port may be configured by end users, so consult the workstation and device configurations to ensure coverage.\n\n\n\n\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-4299",
"datePublished": "2023-08-31T20:45:43.866Z",
"dateReserved": "2023-08-10T20:14:27.489Z",
"dateUpdated": "2025-01-16T21:30:37.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-38412 (GCVE-0-2021-38412)
Vulnerability from nvd – Published: 2021-09-17 19:07 – Updated: 2024-09-17 00:06
VLAI
EPSS
VEX
Title
Digi PortServer TS 16 Improper Authentication
Summary
Properly formatted POST requests to multiple resources on the HTTP and HTTPS web servers of the Digi PortServer TS 16 Rack device do not require authentication or authentication tokens. This vulnerability could allow an attacker to enable the SNMP service and manipulate the community strings to achieve further control in.
Severity
9.6 (Critical)
CWE
- CWE-287 - Improper Authentication
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://us-cert.cisa.gov/ics/advisories/icsa-21-257-01 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Digi International | PortServer TS 16 |
Affected:
Firmware , ≤ 82000684
(custom)
|
Date Public
2021-09-14 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:37:16.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-257-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PortServer TS 16",
"vendor": "Digi International",
"versions": [
{
"lessThanOrEqual": "82000684",
"status": "affected",
"version": "Firmware",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Properly formatted POST requests to multiple resources on the HTTP and HTTPS web servers of the Digi PortServer TS 16 Rack device do not require authentication or authentication tokens. This vulnerability could allow an attacker to enable the SNMP service and manipulate the community strings to achieve further control in."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-17T19:07:49.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-257-01"
}
],
"solutions": [
{
"lang": "en",
"value": "The PortServer TS 16 product was discontinued in 2016. Per Digi\u2019s security support, the device software and hardware support of 5 years has passed. Digi recommends upgrading to a new supported product. If this is not possible, extended support may be available by contacting Digi directly."
}
],
"source": {
"advisory": "ICSA-21-257-01",
"discovery": "UNKNOWN"
},
"title": "Digi PortServer TS 16 Improper Authentication",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2021-09-14T17:00:00.000Z",
"ID": "CVE-2021-38412",
"STATE": "PUBLIC",
"TITLE": "Digi PortServer TS 16 Improper Authentication"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PortServer TS 16",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Firmware",
"version_value": "82000684"
},
{
"version_affected": "\u003c=",
"version_name": "Firmware",
"version_value": "82000685 +1"
}
]
}
}
]
},
"vendor_name": "Digi International"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Properly formatted POST requests to multiple resources on the HTTP and HTTPS web servers of the Digi PortServer TS 16 Rack device do not require authentication or authentication tokens. This vulnerability could allow an attacker to enable the SNMP service and manipulate the community strings to achieve further control in."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287 Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-257-01",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-257-01"
}
]
},
"solution": [
{
"lang": "en",
"value": "The PortServer TS 16 product was discontinued in 2016. Per Digi\u2019s security support, the device software and hardware support of 5 years has passed. Digi recommends upgrading to a new supported product. If this is not possible, extended support may be available by contacting Digi directly."
}
],
"source": {
"advisory": "ICSA-21-257-01",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-38412",
"datePublished": "2021-09-17T19:07:49.497Z",
"dateReserved": "2021-08-10T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:06:58.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-12948 (GCVE-0-2026-12948)
Vulnerability from cvelistv5 – Published: 2026-07-07 14:32 – Updated: 2026-07-07 14:56
VLAI
EPSS
VEX
Title
Stored Cross-Site Scripting (XSS)
Summary
A stored cross-site scripting (XSS) vulnerability in the web management interface of the Digi PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA allows a remote, authenticated administrator to inject script into certain system configuration fields. The script subsequently executes in the browser of a user who views the affected pages (CWE-79).
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
Assigner
References
1 reference
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Digi International | Digi PortServer TS |
Affected:
82000747_V1 , ≤ 82000747_AB
(custom)
|
|
| Digi International | Digi One SP |
Affected:
82000747_V1 , ≤ 82000747_AB
(custom)
|
|
| Digi International | Digi One SP IA |
Affected:
82000747_V1 , ≤ 82000747_AB
(custom)
|
|
| Digi International | Digi One IA |
Affected:
82000747_V1 , ≤ 82000747_AB
(custom)
|
Date Public
2026-07-07 14:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12948",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T14:56:16.795819Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T14:56:24.483Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Digi PortServer TS",
"vendor": "Digi International",
"versions": [
{
"lessThanOrEqual": "82000747_AB",
"status": "affected",
"version": "82000747_V1",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi One SP",
"vendor": "Digi International",
"versions": [
{
"lessThanOrEqual": "82000747_AB",
"status": "affected",
"version": "82000747_V1",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi One SP IA",
"vendor": "Digi International",
"versions": [
{
"lessThanOrEqual": "82000747_AB",
"status": "affected",
"version": "82000747_V1",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi One IA",
"vendor": "Digi International",
"versions": [
{
"lessThanOrEqual": "82000747_AB",
"status": "affected",
"version": "82000747_V1",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-07T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A stored cross-site scripting (XSS) vulnerability in the web management interface of the Digi PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA allows a remote, authenticated administrator to inject script into certain system configuration fields. The script subsequently executes in the browser of a user who views the affected pages (CWE-79)."
}
],
"value": "A stored cross-site scripting (XSS) vulnerability in the web management interface of the Digi PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA allows a remote, authenticated administrator to inject script into certain system configuration fields. The script subsequently executes in the browser of a user who views the affected pages (CWE-79)."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T14:32:43.977Z",
"orgId": "e8a6bb0b-e373-42b1-a5de-93e314325576",
"shortName": "Digi"
},
"references": [
{
"url": "https://www.digi.com/resources/security"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored Cross-Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "e8a6bb0b-e373-42b1-a5de-93e314325576",
"assignerShortName": "Digi",
"cveId": "CVE-2026-12948",
"datePublished": "2026-07-07T14:32:43.977Z",
"dateReserved": "2026-06-22T20:33:02.985Z",
"dateUpdated": "2026-07-07T14:56:24.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12352 (GCVE-0-2026-12352)
Vulnerability from cvelistv5 – Published: 2026-07-07 14:31 – Updated: 2026-07-07 14:56
VLAI
EPSS
VEX
Title
Incorrect Authorization
Summary
This vulnerability allows an unauthenticated actor to bypass authentication and gain access to restricted resources on the device.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.digi.com/resources/security | mitigationvendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Digi International | PortServer TS 1/2/4 |
Affected:
82000747_V1 , ≤ 82000747_AB
(custom)
|
|
| Digi International | Digi One SP / SP IA / IA |
Affected:
82000774-W , ≤ 93000459_AB
(custom)
|
Date Public
2026-07-07 14:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12352",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T14:56:42.626683Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T14:56:48.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PortServer TS 1/2/4",
"vendor": "Digi International",
"versions": [
{
"lessThanOrEqual": "82000747_AB",
"status": "affected",
"version": "82000747_V1",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi One SP / SP IA / IA",
"vendor": "Digi International",
"versions": [
{
"lessThanOrEqual": "93000459_AB",
"status": "affected",
"version": "82000774-W",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-07-07T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability allows an unauthenticated actor to bypass authentication and gain access to restricted resources on the device."
}
],
"value": "This vulnerability allows an unauthenticated actor to bypass authentication and gain access to restricted resources on the device."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T14:31:08.550Z",
"orgId": "e8a6bb0b-e373-42b1-a5de-93e314325576",
"shortName": "Digi"
},
"references": [
{
"tags": [
"mitigation",
"vendor-advisory"
],
"url": "https://www.digi.com/resources/security"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incorrect Authorization",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "e8a6bb0b-e373-42b1-a5de-93e314325576",
"assignerShortName": "Digi",
"cveId": "CVE-2026-12352",
"datePublished": "2026-07-07T14:31:08.550Z",
"dateReserved": "2026-06-15T21:08:54.168Z",
"dateUpdated": "2026-07-07T14:56:48.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-3659 (GCVE-0-2025-3659)
Vulnerability from cvelistv5 – Published: 2025-05-12 20:40 – Updated: 2025-05-12 22:06
VLAI
EPSS
VEX
Title
Improper authentication handling for Digi PortServer TS; Digi One SP, SP IA, IA; Digi One IAP
Summary
Improper authentication handling was identified in a set of HTTP POST requests affecting the following product families:
* Digi PortServer TS - prior to and including 82000747_AA, build date 06/17/2022
* Digi One SP/Digi One SP IA/Digi One IA - prior to and including 82000774_Z, build date 10/19/2020
* Digi One IAP – prior to and including 82000770 Z, build date 10/19/2020
A specially crafted POST request to the device’s web interface may allow an unauthenticated attacker to modify configuration settings.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
4 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Digi International | Digi PortServer TS |
Affected:
0 , ≤ 82000747_AA
(custom)
|
|
| Digi International | Digi One SP/Digi One SP IA/Digi One IA |
Affected:
0 , ≤ 82000774_Z
(custom)
|
|
| Digi International | Digi One IAP |
Affected:
0 , ≤ 82000770 Z
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3659",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-12T21:43:33.232090Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T22:06:36.712Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Digi PortServer TS",
"vendor": "Digi International",
"versions": [
{
"lessThanOrEqual": "82000747_AA",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Digi One SP/Digi One SP IA/Digi One IA",
"vendor": "Digi International",
"versions": [
{
"lessThanOrEqual": "82000774_Z",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Digi One IAP",
"vendor": "Digi International",
"versions": [
{
"lessThanOrEqual": "82000770 Z",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper authentication handling was identified in a set of HTTP POST requests affecting the following product families: \u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003eDigi PortServer TS - prior to and including 82000747_AA, build date 06/17/2022\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eDigi One SP/Digi One SP IA/Digi One IA - prior to and including 82000774_Z, build date 10/19/2020\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eDigi One IAP \u2013 prior to and including 82000770 Z, build date 10/19/2020\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eA specially crafted POST request to the device\u2019s web interface may allow an unauthenticated attacker to modify configuration settings.\u003c/p\u003e"
}
],
"value": "Improper authentication handling was identified in a set of HTTP POST requests affecting the following product families: \n\n * Digi PortServer TS - prior to and including 82000747_AA, build date 06/17/2022\n\n\n * Digi One SP/Digi One SP IA/Digi One IA - prior to and including 82000774_Z, build date 10/19/2020\n\n\n * Digi One IAP \u2013 prior to and including 82000770 Z, build date 10/19/2020\n\n\n\n\nA specially crafted POST request to the device\u2019s web interface may allow an unauthenticated attacker to modify configuration settings."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T20:40:03.567Z",
"orgId": "e8a6bb0b-e373-42b1-a5de-93e314325576",
"shortName": "Digi"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://hub.digi.com/support/products/infrastructure-management/digi-portserver-ts/"
},
{
"tags": [
"patch"
],
"url": "https://hub.digi.com/support/products/infrastructure-management/digi-one-sp-ia/"
},
{
"tags": [
"patch"
],
"url": "https://hub.digi.com/support/products/infrastructure-management/digi-one-iap-haz/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.digi.com/getattachment/Resources/Security/Alerts/Improper-authentication-handling-for-Digi-PortServ/improper-authentication-handling.pdf"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Improper authentication handling for Digi PortServer TS; Digi One SP, SP IA, IA; Digi One IAP",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e8a6bb0b-e373-42b1-a5de-93e314325576",
"assignerShortName": "Digi",
"cveId": "CVE-2025-3659",
"datePublished": "2025-05-12T20:40:03.567Z",
"dateReserved": "2025-04-15T19:04:32.817Z",
"dateUpdated": "2025-05-12T22:06:36.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4299 (GCVE-0-2023-4299)
Vulnerability from cvelistv5 – Published: 2023-08-31 20:45 – Updated: 2025-01-16 21:30
VLAI
EPSS
VEX
Title
Digi RealPort Protocol Use of Password Hash Instead of Password for Authentication
Summary
Digi RealPort Protocol is vulnerable to a replay attack that may allow an attacker to bypass authentication to access connected equipment.
Severity
9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
23 products
Date Public
2023-08-31 20:29
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:24:04.616Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-04"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.digi.com/getattachment/resources/security/alerts/realport-cves/Dragos-Disclosure-Statement.pdf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4299",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T21:20:30.564576Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T21:30:37.810Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Digi RealPort",
"vendor": "Digi International ",
"versions": [
{
"lessThanOrEqual": "4.8.488.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "Digi RealPort",
"vendor": "Digi International ",
"versions": [
{
"lessThanOrEqual": "1.9-40",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi ConnectPort TS 8/16",
"vendor": "Digi International ",
"versions": [
{
"lessThan": "2.26.2.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi Passport Console Server",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi ConnectPort LTS 8/16/32",
"vendor": "Digi International ",
"versions": [
{
"lessThan": "1.4.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi CM Console Server",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi PortServer TS",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi PortServer TS MEI",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi PortServer TS MEI Hardened",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi PortServer TS M MEI",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi PortServer TS P MEI",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi One IAP Family",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi One IA",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi One SP IA",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "\u200bDigi One SP",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi WR31",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi WR11 XT",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi WR44 R",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi WR21",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi Connect ES",
"vendor": "Digi International ",
"versions": [
{
"lessThan": "2.26.2.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi Connect SP",
"vendor": "Digi International ",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi 6350-SR",
"vendor": "Digi International ",
"versions": [
{
"status": "unaffected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Digi ConnectCore 8X products",
"vendor": "Digi International ",
"versions": [
{
"status": "unaffected",
"version": "all versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Reid Wightman of Dragos, Inc reported this vulnerability to Digi International."
}
],
"datePublic": "2023-08-31T20:29:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDigi RealPort Protocol is vulnerable to a replay attack that may allow an attacker to bypass authentication to access connected equipment.\u003c/span\u003e\n\n"
}
],
"value": "\nDigi RealPort Protocol is vulnerable to a replay attack that may allow an attacker to bypass authentication to access connected equipment.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-836",
"description": "CWE-836",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-31T20:45:43.866Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-04"
},
{
"url": "https://www.digi.com/getattachment/resources/security/alerts/realport-cves/Dragos-Disclosure-Statement.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cp\u003eDigi International recommends users acquire and install patches that they have made available for the following products:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u200bRealPort software for Windows: Fixed in 4.10.490\u003c/li\u003e\u003cli\u003e\u200bDigi ConnectPort TS 8/16: Fixed in firmware version 2.26.2.4\u003c/li\u003e\u003cli\u003e\u200bDigi ConnectPort LTS 8/16/32: Fixed in version 1.4.9\u003c/li\u003e\u003cli\u003e\u200bDigi Connect ES: Fixed in firmware version 2.26.2.4\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u200bFor more information, see the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.digi.com/getattachment/resources/security/alerts/realport-cves/Dragos-Disclosure-Statement.pdf\"\u003ecustomer notification document\u003c/a\u003e\u0026nbsp;published by Digi International.\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "\nDigi International recommends users acquire and install patches that they have made available for the following products:\n\n * \u200bRealPort software for Windows: Fixed in 4.10.490\n * \u200bDigi ConnectPort TS 8/16: Fixed in firmware version 2.26.2.4\n * \u200bDigi ConnectPort LTS 8/16/32: Fixed in version 1.4.9\n * \u200bDigi Connect ES: Fixed in firmware version 2.26.2.4\n\n\n\u200bFor more information, see the customer notification document https://www.digi.com/getattachment/resources/security/alerts/realport-cves/Dragos-Disclosure-Statement.pdf \u00a0published by Digi International.\n\n\n\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Digi RealPort Protocol Use of Password Hash Instead of Password for Authentication",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cp\u003eDragos recommends restricting access to Digi devices on TCP/771 (default) or TCP/1027 (if encryption is enabled, this is the default port). Only allow the workstations which initiate RealPort connections to communicate to the field equipment on those ports. Note that most of Digi\u0027s devices allow you to change the setting for which TCP port the RealPort service runs on, so end users should consult their device configuration and restrict access to the configured port if it is not the default.\u003c/p\u003e\u003cp\u003e\u200bIf using the system in \u0027reverse\u0027 mode, where the Digi device calls back to the Windows or Linux workstation, then Dragos recommends restricting access to the workstation on TCP/771 or TCP/1027 to known Digi RealPort devices on your network. This port may be configured by end users, so consult the workstation and device configurations to ensure coverage.\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "\nDragos recommends restricting access to Digi devices on TCP/771 (default) or TCP/1027 (if encryption is enabled, this is the default port). Only allow the workstations which initiate RealPort connections to communicate to the field equipment on those ports. Note that most of Digi\u0027s devices allow you to change the setting for which TCP port the RealPort service runs on, so end users should consult their device configuration and restrict access to the configured port if it is not the default.\n\n\u200bIf using the system in \u0027reverse\u0027 mode, where the Digi device calls back to the Windows or Linux workstation, then Dragos recommends restricting access to the workstation on TCP/771 or TCP/1027 to known Digi RealPort devices on your network. This port may be configured by end users, so consult the workstation and device configurations to ensure coverage.\n\n\n\n\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-4299",
"datePublished": "2023-08-31T20:45:43.866Z",
"dateReserved": "2023-08-10T20:14:27.489Z",
"dateUpdated": "2025-01-16T21:30:37.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-38412 (GCVE-0-2021-38412)
Vulnerability from cvelistv5 – Published: 2021-09-17 19:07 – Updated: 2024-09-17 00:06
VLAI
EPSS
VEX
Title
Digi PortServer TS 16 Improper Authentication
Summary
Properly formatted POST requests to multiple resources on the HTTP and HTTPS web servers of the Digi PortServer TS 16 Rack device do not require authentication or authentication tokens. This vulnerability could allow an attacker to enable the SNMP service and manipulate the community strings to achieve further control in.
Severity
9.6 (Critical)
CWE
- CWE-287 - Improper Authentication
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://us-cert.cisa.gov/ics/advisories/icsa-21-257-01 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Digi International | PortServer TS 16 |
Affected:
Firmware , ≤ 82000684
(custom)
|
Date Public
2021-09-14 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:37:16.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-257-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PortServer TS 16",
"vendor": "Digi International",
"versions": [
{
"lessThanOrEqual": "82000684",
"status": "affected",
"version": "Firmware",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Properly formatted POST requests to multiple resources on the HTTP and HTTPS web servers of the Digi PortServer TS 16 Rack device do not require authentication or authentication tokens. This vulnerability could allow an attacker to enable the SNMP service and manipulate the community strings to achieve further control in."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-17T19:07:49.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-257-01"
}
],
"solutions": [
{
"lang": "en",
"value": "The PortServer TS 16 product was discontinued in 2016. Per Digi\u2019s security support, the device software and hardware support of 5 years has passed. Digi recommends upgrading to a new supported product. If this is not possible, extended support may be available by contacting Digi directly."
}
],
"source": {
"advisory": "ICSA-21-257-01",
"discovery": "UNKNOWN"
},
"title": "Digi PortServer TS 16 Improper Authentication",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2021-09-14T17:00:00.000Z",
"ID": "CVE-2021-38412",
"STATE": "PUBLIC",
"TITLE": "Digi PortServer TS 16 Improper Authentication"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PortServer TS 16",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Firmware",
"version_value": "82000684"
},
{
"version_affected": "\u003c=",
"version_name": "Firmware",
"version_value": "82000685 +1"
}
]
}
}
]
},
"vendor_name": "Digi International"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Properly formatted POST requests to multiple resources on the HTTP and HTTPS web servers of the Digi PortServer TS 16 Rack device do not require authentication or authentication tokens. This vulnerability could allow an attacker to enable the SNMP service and manipulate the community strings to achieve further control in."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287 Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-257-01",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-257-01"
}
]
},
"solution": [
{
"lang": "en",
"value": "The PortServer TS 16 product was discontinued in 2016. Per Digi\u2019s security support, the device software and hardware support of 5 years has passed. Digi recommends upgrading to a new supported product. If this is not possible, extended support may be available by contacting Digi directly."
}
],
"source": {
"advisory": "ICSA-21-257-01",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-38412",
"datePublished": "2021-09-17T19:07:49.497Z",
"dateReserved": "2021-08-10T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:06:58.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}