CVE-2026-24455
Published: 20 February 2026
Summary
CVE-2026-24455 is a high-severity Cleartext Transmission of Sensitive Information (CWE-319) vulnerability in Cisa (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-13 (Cryptographic Protection).
Deeper analysis
CVE-2026-24455 is a vulnerability in the embedded web interface of the device, where authentication relies on HTTP Basic Authentication without support for HTTPS/TLS. This configuration results in traffic that is encoded but not encrypted, exposing user credentials to passive interception. The flaw is cataloged under CWE-319 (Cleartext Transmission of Sensitive Information) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to network accessibility and significant confidentiality impact.
Attackers with access to the same network as the device can exploit this vulnerability through passive network interception, such as via packet sniffing, to capture transmitted credentials without requiring privileges, user interaction, or active disruption. Successful exploitation enables unauthorized access to the web interface using stolen credentials, potentially leading to further compromise depending on the device's privileges and functions.
The CISA ICS advisory ICSA-26-050-03 addresses this vulnerability, with full details available at https://www.cisagov.github.io/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-03.json and https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03. Practitioners should consult these sources for recommended mitigations, such as applying patches or network segmentation if available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8308
Vulnerability details
The embedded web interface of the device does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Traffic is encoded but not encrypted, exposing user credentials to passive interception by attackers on the same network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Cleartext HTTP Basic Auth directly enables passive credential capture via network sniffing (T1040); captured credentials then facilitate unauthorized access via valid accounts (T1078).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires protection of the confidentiality and integrity of transmitted information, directly preventing passive network interception of unencrypted HTTP Basic Authentication credentials.
Mandates protection of authenticators during transmission commensurate with risk, specifically addressing exposure of user credentials in the web interface.
Implements cryptographic mechanisms to protect confidentiality of transmitted sensitive information, mitigating the cleartext transmission vulnerability in the embedded web interface.