Cyber Resilience

CVE-2026-24455

High

Published: 20 February 2026

Published
20 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0003 10.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24455 is a high-severity Cleartext Transmission of Sensitive Information (CWE-319) vulnerability in Cisa (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-13 (Cryptographic Protection).

Deeper analysis

CVE-2026-24455 is a vulnerability in the embedded web interface of the device, where authentication relies on HTTP Basic Authentication without support for HTTPS/TLS. This configuration results in traffic that is encoded but not encrypted, exposing user credentials to passive interception. The flaw is cataloged under CWE-319 (Cleartext Transmission of Sensitive Information) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to network accessibility and significant confidentiality impact.

Attackers with access to the same network as the device can exploit this vulnerability through passive network interception, such as via packet sniffing, to capture transmitted credentials without requiring privileges, user interaction, or active disruption. Successful exploitation enables unauthorized access to the web interface using stolen credentials, potentially leading to further compromise depending on the device's privileges and functions.

The CISA ICS advisory ICSA-26-050-03 addresses this vulnerability, with full details available at https://www.cisagov.github.io/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-03.json and https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03. Practitioners should consult these sources for recommended mitigations, such as applying patches or network segmentation if available.

EU & UK References

Vulnerability details

The embedded web interface of the device does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Traffic is encoded but not encrypted, exposing user credentials to passive interception by attackers on the same network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1040 Network Sniffing Credential Access
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Cleartext HTTP Basic Auth directly enables passive credential capture via network sniffing (T1040); captured credentials then facilitate unauthorized access via valid accounts (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42514Shared CWE-319
CVE-2026-23661Shared CWE-319
CVE-2025-13718Shared CWE-319
CVE-2024-36558Shared CWE-319
CVE-2025-70048Shared CWE-319
CVE-2024-44276Shared CWE-319
CVE-2025-69272Shared CWE-319
CVE-2024-42181Shared CWE-319
CVE-2026-30795Shared CWE-319
CVE-2026-30796Shared CWE-319

Affected Assets

Cisa
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires protection of the confidentiality and integrity of transmitted information, directly preventing passive network interception of unencrypted HTTP Basic Authentication credentials.

prevent

Mandates protection of authenticators during transmission commensurate with risk, specifically addressing exposure of user credentials in the web interface.

prevent

Implements cryptographic mechanisms to protect confidentiality of transmitted sensitive information, mitigating the cleartext transmission vulnerability in the embedded web interface.

References