Skip to main content

Hirschmann Hios Switch Platform CVE-2025-15620

| EUVDEUVD-2025-209199 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-04-02 VulnCheck GHSA-f68c-94vp-f2q5
9.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 02, 2026 - 21:01 euvd
EUVD-2025-209199
Analysis Generated
Apr 02, 2026 - 21:01 vuln.today
CVE Published
Apr 02, 2026 - 20:28 nvd
CRITICAL 9.2

DescriptionCVE.org

HiOS Switch Platform contains a denial-of-service vulnerability in the web interface that allows remote attackers to reboot the affected device by sending a malicious HTTP GET request to a specific endpoint. Attackers can trigger an uncontrolled reboot condition through crafted HTTP requests to cause service disruption and unavailability of the switch.

AnalysisAI

Remote denial-of-service in Belden Hirschmann HiOS Switch Platform allows unauthenticated attackers to reboot switches via crafted HTTP GET requests to the web interface. Affects versions 9.1.00-9.4.05 and 10.0.00-10.3.01. Exploitation requires no authentication (PR:N) and low complexity (AC:L), enabling trivial service disruption of network infrastructure. CVSS 9.2 (critical) reflects high availability impact on both vulnerable component and subsequent systems. No public exploit identified at time of analysis, though the attack vector is straightforward HTTP-based.

Technical ContextAI

This vulnerability affects the Belden Hirschmann HiOS Switch Platform (CPE: cpe:2.3:a:belden:hirschmann_hios_switch_platform), specifically the embedded web management interface on industrial Ethernet switches. The root cause is CWE-306 (Missing Authentication for Critical Function), indicating that a critical device reboot endpoint lacks proper authentication controls. The web interface accepts HTTP GET requests without validating credentials or session tokens, allowing anonymous remote attackers to invoke reboot functionality. HiOS is a proprietary operating system used in Hirschmann industrial switches for critical infrastructure and industrial control environments where device availability is paramount. The vulnerability demonstrates a fundamental security design flaw where administrative functions are exposed without authentication barriers, common in legacy industrial equipment developed before modern security frameworks became standard practice.

RemediationAI

Organizations should apply vendor-supplied patches by upgrading to HiOS versions beyond 9.4.05 for the 9.x branch and beyond 10.3.01 for the 10.x branch, as referenced in the Belden PSIRT advisory at https://assets.belden.com/m/702a656e81736b04/original/PSIRT-2_Web_Interface_HiOS.pdf. Specific patched version numbers should be obtained from the vendor advisory, which contains detailed remediation instructions. As an interim mitigation, restrict network access to the web management interface using firewall rules or VLANs to limit exposure to trusted administrative networks only, preventing unauthenticated remote access. Disable the web interface entirely if command-line or SNMP management alternatives are viable for the operational environment. Monitor switch logs for unexpected reboot events or suspicious HTTP requests to the management interface. Given the industrial control system deployment context, apply patches during scheduled maintenance windows with appropriate change control procedures to minimize operational disruption.

Share

CVE-2025-15620 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy