Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Remote unauthenticated bypass with unspecified preconditions (AC:H); no integrity or availability impact described, only confidentiality exposure.
Primary rating from Vendor (Digi).
CVSS VectorVendor: Digi
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
This vulnerability allows an unauthenticated actor to bypass authentication and gain access to restricted resources on the device.
AnalysisAI
Authentication bypass in Digi International PortServer TS 1/2/4 and Digi One SP/SP IA/IA serial device servers permits remote unauthenticated attackers to circumvent authorization controls and access restricted device resources. The CVSS vector (AV:N/AC:H/PR:N/UI:N) confirms remote, credential-free exploitation but places High Attack Complexity on the flaw, indicating specific preconditions must be met - limiting opportunistic or automated mass exploitation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The CVSS vector (AV:N/AC:H/PR:N/UI:N) confirms that exploitation is remote and requires no credentials or user interaction, but AC:H establishes that specific preconditions beyond the attacker's direct control must be present. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 5.9 (Medium) is primarily shaped by AC:H, which substantially reduces exploitation ease from what a network-accessible, no-auth bypass would otherwise suggest. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote attacker with network-level access to a Digi PortServer TS or Digi One SP management interface crafts a specially formatted request that exploits the incorrect authorization logic, meeting the AC:H preconditions - such as a specific timing window, parameter sequence, or request structure - to bypass access controls without credentials. The attacker gains read access to restricted device resources, potentially including stored configuration data, serial communication logs, or credentials for connected serial equipment. … |
| Remediation | Consult the Digi International security advisory at https://www.digi.com/resources/security for firmware patches and exact remediated version numbers, as confirmed patched versions are not available in the current data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42047
GHSA-jmv4-p83r-grw3