Cyber Resilience

CVE-2026-27755

CriticalPublic PoC

Published: 27 February 2026

Published
27 February 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0040 31.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-27755 is a critical-severity Use of Insufficiently Random Values (CWE-330) vulnerability in Sodola-Network Sl902-Swtgw124As Firmware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2026-27755, published on 2026-02-27, is a weak session identifier generation vulnerability (CWE-330) affecting SODOLA SL902-SWTGW124AS firmware versions through 200.1.20. The device generates predictable MD5-based cookies for session identifiers, enabling attackers to forge authenticated sessions. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.

Remote attackers can exploit this vulnerability if they know or guess valid credentials. By computing the predictable session identifier offline, they bypass the normal login flow, forge an authenticated session, and gain unauthorized access to the device without requiring privileges, user interaction, or elevated complexity.

Advisories and mitigation details are referenced in the VulnCheck advisory at https://www.vulncheck.com/advisories/sodola-sl902-swtgw124as-predictable-session-id and the vendor product page at https://www.sodola-network.com/products/sodola-6-port-2-5g-easy-web-managed-switch-4-x-2-5g-base-t-ports-2-x-10g-sfp-static-aggregation-qos-vlan-igmp-2-5gb-network-home-lab-switch.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a weak session identifier generation vulnerability that allows attackers to forge authenticated sessions by computing predictable MD5-based cookies. Attackers who know or guess valid credentials can calculate the session identifier offline and bypass…

more

authentication without completing the login flow, gaining unauthorized access to the device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1606.001 Web Cookies Credential Access
Adversaries may forge web cookies that can be used to gain access to web applications or Internet services.
Why these techniques?

The vulnerability in the web management interface of the network switch enables exploitation of a public-facing application (T1190) via predictable session identifiers, directly facilitating the forging of web session cookies for unauthorized access (T1606.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27757Same product: Sodola-Network Sl902-Swtgw124As
CVE-2026-27751Same product: Sodola-Network Sl902-Swtgw124As
CVE-2026-33710Shared CWE-330
CVE-2026-25072Shared CWE-330
CVE-2026-27637Shared CWE-330
CVE-2025-68704Shared CWE-330
CVE-2026-27515Shared CWE-330
CVE-2025-64097Shared CWE-330
CVE-2024-48928Shared CWE-330
CVE-2026-20101Shared CWE-330

Affected Assets

sodola-network
sl902-swtgw124as firmware
≤ 200.1.20

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires protection of communications session authenticity to prevent forgery via predictable session identifiers.

prevent

Mandates secure generation and management of authenticators, including session cookies, to avoid predictable MD5-based identifiers that enable offline computation and forgery.

preventrecover

Requires timely identification, reporting, and correction of flaws such as weak session identifier generation in device firmware.

References