CVE-2026-22905

7.5 HIGH

Published 2026-02-09 · Modified 2026-02-09 · Awaiting Analysis

Quick Summary

A flaw in how the software checks web addresses allows an attacker to bypass the login page. This matters because it lets anyone on the internet access sensitive administrative functions without a password.

Who is affected

Any system using the vulnerable software is affected. An attacker could gain unauthorized access to protected areas and download configuration files.

Recommended fix

Apply the vendor's security patch immediately. If a patch is not available, implement strict input validation to block path traversal sequences (like /../) in all URI requests.

Technical Description

An unauthenticated remote attacker can bypass authentication by exploiting insufficient URI validation and using path traversal sequences (e.g., /js/../cgi-bin/post.cgi), gaining unauthorized access to protected CGI endpoints and configuration downloads.

CVSS Details

Attack Vector

NETWORK

Complexity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-22

References

https://certvde.com/de/advisories/VDE-2026-004