CVE-2026-27519
Published: 24 February 2026
Summary
CVE-2026-27519 is a high-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Binardat 10G08-0800Gsm Firmware. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Contacts with security groups provide timely information on broken or risky cryptographic algorithms, reducing the likelihood of their selection and use.
Ongoing education and sharing of recommended practices helps organizations identify and migrate away from broken or risky cryptographic algorithms.
Cross-organization threat feeds commonly include advances in cryptanalysis and active exploits against weak or broken algorithms, allowing organizations to deprecate them proactively.
Capital planning and funding allow selection and ongoing support of strong cryptographic algorithms rather than weak or broken ones.
Risk updates surface newly-broken or risky cryptographic algorithms as threat intelligence and computing advances evolve, enabling timely replacement.
Scanners flag use of broken or weak cryptographic algorithms via known-vulnerability databases.
Supply chain protection includes scrutiny of cryptographic implementations, reducing hard-coded keys planted by untrusted vendors.
Functional and assurance requirements specified in acquisition can prohibit hard-coded cryptographic keys in delivered products.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in unauthenticated web management interface with hard-coded RC4 key directly enables remote exploitation of a public-facing application (T1190) to decrypt and obtain credentials/configuration data (T1552).
NVD Description
Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior use RC4 with a hard-coded key embedded in client-side JavaScript. Because the key is static and exposed, an attacker can decrypt protected values and defeat confidentiality protections.
Deeper analysisAI
CVE-2026-27519 is a cryptographic vulnerability in the Binardat 10G08-0800GSM network switch firmware, affecting version V300SP10260209 and prior. The flaw stems from the use of RC4 encryption with a hard-coded key embedded directly in client-side JavaScript code. This static, exposed key enables attackers to decrypt protected values, fully defeating the confidentiality protections intended by the implementation. Published on 2026-02-24, the issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-321 (Use of Hard-coded Cryptographic Key) and CWE-327 (Use of a Broken or Risky Cryptographic Algorithm).
Any unauthenticated attacker with network access to the switch's web management interface can exploit this vulnerability, as it requires low complexity, no privileges, and no user interaction. By inspecting the client-side JavaScript, the attacker obtains the static RC4 key and decrypts any data protected by it, such as configuration values or other sensitive information transmitted via the interface. This results in high confidentiality impact, potentially exposing network credentials, device settings, or other protected data without disrupting integrity or availability.
Mitigation guidance is available in advisories including the VulnCheck report at https://www.vulncheck.com/advisories/binardat-10g08-0800gsm-network-switch-hard-coded-rc4-encryption-key and the vendor product page at https://www.binardat.com/products/8-port-10-gigabit-sfp-managed-switch,-support-1g-sfp-and-10g-sfp-module,-160gbps-bandwidth,-l3-web-managed,-metal-fanless-fiber-binardat-network-switch. Security practitioners should consult these for patching instructions or workarounds specific to the affected firmware.
Details
- CWE(s)