CVE-2025-27260

| EUVD-2025-208979 HIGH
2026-03-25 ERIC GHSA-3222-m64x-qwpg
7.2
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 13:30 euvd
EUVD-2025-208979
Analysis Generated
Mar 25, 2026 - 13:30 vuln.today
CVE Published
Mar 25, 2026 - 12:54 nvd
HIGH 7.2

Tags

Ericsson Authentication Bypass

Description

Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains an Improper Filtering of Special Elements vulnerability which, if exploited, can lead to unauthorized modification of certain information

Analysis

Ericsson Indoor Connect 8855 prior to version 2025.Q3 contains an Improper Filtering of Special Elements vulnerability (CWE-790) that allows attackers to bypass input validation controls and achieve unauthorized modification of sensitive information. This vulnerability affects all versions of the Indoor Connect 8855 product line below the 2025.Q3 release. No CVSS score, CVSS vector, EPSS data, or active exploitation status is currently available in public sources, limiting quantitative risk assessment, though the CWE-790 classification suggests the vulnerability involves inadequate sanitization of special characters or metacharacters in user input.

Technical Context

The vulnerability resides in Ericsson Indoor Connect 8855 (identified via CPE cpe:2.3:a:ericsson:indoor_connect_8855:*:*:*:*:*:*:*:*), a network-connected indoor positioning and connectivity solution used in enterprise environments. CWE-790 (Improper Filtering of Special Elements) indicates the root cause is insufficient validation or filtering of special characters, metacharacters, or control sequences before processing user-supplied data. This class of vulnerability typically occurs when input containing special elements (such as SQL metacharacters, command injection sequences, or script tags) is not adequately canonicalized or escaped before being used in a security-critical context. In the context of Indoor Connect 8855, this likely affects configuration, administrative interfaces, or API endpoints where specially crafted input can bypass intended restrictions and modify protected data.

Affected Products

Ericsson Indoor Connect 8855 versions prior to 2025.Q3 are affected, as confirmed by the published CPE string (cpe:2.3:a:ericsson:indoor_connect_8855:*:*:*:*:*:*:*:*). Affected organizations should identify all deployed instances of Indoor Connect 8855 below version 2025.Q3. Vendor security advisories and patch information are available from Ericsson's Product Security Incident Response Team (PSIRT) at https://www.ericsson.com/en/about-us/security/psirt/CVE-2025-27260 and https://www.ericsson.com/en/about-us/security/psirt/security-bulletin-indoorconnect-march-2026.

Remediation

Upgrade Ericsson Indoor Connect 8855 to version 2025.Q3 or later immediately. Consult Ericsson's PSIRT security bulletin at https://www.ericsson.com/en/about-us/security/psirt/CVE-2025-27260 for detailed upgrade procedures and compatibility considerations. Until patching can be completed, implement network segmentation to restrict access to Indoor Connect 8855 administrative interfaces and APIs to trusted internal networks only, disable or restrict any user-facing input mechanisms that accept special characters, and monitor configuration logs for unauthorized modification attempts. Coordinate with Ericsson support if upgrade timelines extend beyond 30 days to discuss interim mitigations specific to your deployment configuration.

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

CVE-2025-27260 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy