Cyber Resilience

CVE-2018-25236

CriticalPublic PoC

Published: 03 April 2026

Published
03 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0050 39.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2018-25236 is a critical-severity Improper Authentication (CWE-287) vulnerability in Belden (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2018-25236 is an authentication bypass vulnerability (CWE-287) affecting the HTTP(S) management module in Hirschmann HiOS and HiSecOS products, including models RSP, RSPE, RSPS, RSPL, MSP, EES, EESX, GRS, OS, RED, and EAGLE. The flaw stems from improper authentication handling, enabling unauthenticated remote attackers to craft specially formed HTTP requests that hijack the authentication status and privileges of a previously authenticated user, thereby gaining administrative access without valid credentials. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.

Unauthenticated attackers with network access to the affected devices can exploit this vulnerability remotely by sending malicious HTTP requests to the management interface. Successful exploitation grants full administrative privileges, allowing arbitrary configuration changes, data access, or device compromise, with high impacts on confidentiality, integrity, and availability.

Mitigation details are outlined in vendor advisories, including Belden's Security Bulletin BSECV-2018-05 and a Vulncheck advisory, which provide guidance on patching affected HiOS and HiSecOS firmware versions. Security practitioners should consult these resources for specific upgrade instructions and temporary workarounds, such as restricting management interface access.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Hirschmann HiOS and HiSecOS products RSP, RSPE, RSPS, RSPL, MSP, EES, EESX, GRS, OS, RED, EAGLE contain an authentication bypass vulnerability in the HTTP(S) management module that allows unauthenticated remote attackers to gain administrative access by crafting specially formed HTTP…

more

requests. Attackers can exploit improper authentication handling to obtain the authentication status and privileges of a previously authenticated user without providing valid credentials.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authentication bypass in exposed HTTP(S) management interface directly enables remote exploitation of a public-facing application for admin access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1044Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2026-7022Shared CWE-287
CVE-2024-13111Shared CWE-287
CVE-2026-29145Shared CWE-287
CVE-2024-53704Shared CWE-287
CVE-2024-57049Shared CWE-287
CVE-2025-12374Shared CWE-287
CVE-2025-15484Shared CWE-287
CVE-2026-0589Shared CWE-287

Affected Assets

Belden
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Access Enforcement requires systems to enforce approved authorizations for all access attempts, directly preventing unauthenticated attackers from gaining administrative privileges via authentication bypass.

prevent

Identification and Authentication mandates robust mechanisms to verify user identity before granting access, countering the improper authentication handling in the HTTP(S) management module.

prevent

Session Authenticity uniquely identifies and authenticates HTTP management sessions, mitigating hijacking of previously authenticated user privileges through crafted requests.

References