Cyber Resilience

CVE-2026-27520

HighPublic PoC

Published: 24 February 2026

Published
24 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0020 9.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27520 is a high-severity Cleartext Storage of Sensitive Information (CWE-312) vulnerability in Binardat 10G08-0800Gsm Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27520 is a vulnerability in the Binardat 10G08-0800GSM network switch firmware versions prior to V300SP10260209. The issue stems from the storage of a user password in a client-side cookie as a Base64-encoded value, which is accessible via the web management interface. Base64 encoding is reversible and provides no confidentiality, enabling straightforward recovery of the plaintext password. It is classified under CWE-312 (Cleartext Storage of Sensitive Information) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

The vulnerability can be exploited by any network-accessible attacker with low complexity and no required privileges or user interaction. By obtaining the cookie value—potentially through network interception if the web interface lacks HTTPS enforcement, client-side access, or other means—an attacker can decode the Base64 content to retrieve the plaintext password. This grants high-impact confidentiality loss, allowing unauthorized access to the switch's management functions.

Advisories, including the VulnCheck report and Binardat's product page for the 8-port 10 Gigabit SFP+ managed switch, indicate that firmware version V300SP10260209 or later addresses the issue by remediating the insecure password storage. Security practitioners should verify and apply updates to affected devices, audit web interface configurations for secure cookie handling (e.g., HttpOnly and Secure flags), and monitor for unauthorized access.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Binardat 10G08-0800GSM network switch firmware versions prior to V300SP10260209 store a user password in a client-side cookie as a Base64-encoded value accessible via the web interface. Because Base64 is reversible and provides no confidentiality, an attacker who can access the…

more

cookie value can recover the plaintext password.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Vuln in web management interface (public-facing) enables remote credential recovery via insecure Base64 cookie storage (unsecured creds).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27516Same product: Binardat 10G08-0800Gsm
CVE-2026-27519Same product: Binardat 10G08-0800Gsm
CVE-2026-27515Same product: Binardat 10G08-0800Gsm
CVE-2026-23678Same product: Binardat 10G08-0800Gsm
CVE-2026-27507Same product: Binardat 10G08-0800Gsm
CVE-2026-27521Same product: Binardat 10G08-0800Gsm
CVE-2026-34833Shared CWE-312
CVE-2026-33867Shared CWE-312
CVE-2026-27877Shared CWE-312
CVE-2024-55928Shared CWE-312

Affected Assets

binardat
10g08-0800gsm firmware
≤ V300SP10260209

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires identifying, reporting, and correcting flaws like the insecure Base64-encoded password storage in client-side cookies via firmware updates to V300SP10260209 or later.

prevent

IA-5 mandates protecting authenticator content such as passwords from unauthorized disclosure, directly addressing reversible storage in accessible client-side cookies.

prevent

CM-6 enforces secure configuration settings for the web management interface, including HttpOnly and Secure cookie flags to limit exposure of the Base64-encoded password.

References