Cyber Resilience

CVE-2025-13926

Critical

Published: 09 April 2026

Published
09 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0044 35.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-13926 is a critical-severity Reliance on Untrusted Inputs in a Security Decision (CWE-807) vulnerability in Ccontrols (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 35.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SC-8 (Transmission Confidentiality and Integrity).

Deeper analysis

CVE-2025-13926 is a high-severity vulnerability (CVSS 3.1 score: 9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in the Contemporary Controls BASC-20T device, published on 2026-04-09. The issue, tied to CWE-807 (Reliance on Untrusted Inputs In a Security Decision), enables an attacker to sniff network traffic, capture necessary data, and forge packets to issue arbitrary requests to the device.

A remote network attacker requires no privileges, authentication, or user interaction to exploit this vulnerability. By forging packets based on sniffed traffic, the attacker can achieve high-impact compromise of confidentiality, integrity, and availability, potentially leading to full control over the BASC-20T device.

Mitigation guidance is detailed in CISA ICS Advisory ICSA-26-099-01 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-099-01), the associated CSAF JSON file (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-099-01.json), and Contemporary Controls' technical support page (https://www.ccontrols.com/support/contacttech.htm). Security practitioners should consult these resources for patches, workarounds, and configuration recommendations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An attacker could use data obtained by sniffing the network traffic to forge packets in order to make arbitrary requests to Contemporary Controls BASC 20T.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1040 Network Sniffing Credential Access
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vuln directly enables network sniffing (T1040) to capture traffic and unauthenticated remote packet forgery for arbitrary device control (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-49827Shared CWE-807
CVE-2026-29134Shared CWE-807
CVE-2024-13974Shared CWE-807
CVE-2026-32975Shared CWE-807
CVE-2026-35670Shared CWE-807
CVE-2026-27707Shared CWE-807
CVE-2026-41380Shared CWE-807
CVE-2026-21509Shared CWE-807
CVE-2026-6213Shared CWE-807
CVE-2026-25958Shared CWE-807

Affected Assets

Ccontrols
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Protects network transmissions with confidentiality and integrity, preventing attackers from sniffing traffic to capture data needed for forging packets.

prevent

Validates all information inputs including forged packets, directly addressing CWE-807 reliance on untrusted inputs in security decisions.

prevent

Verifies the authenticity of communication sessions, blocking forged packets used to issue arbitrary requests to the device.

References