Skip to main content

Openplc V3 CVE-2026-28205

| EUVDEUVD-2026-21009 CRITICAL
Initialization of a Resource with an Insecure Default (CWE-1188)
2026-04-09 icscert GHSA-3r9q-7hff-7fm4
9.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
Apr 28, 2026 - 17:22 vuln.today
cvss_changed
EUVD ID Assigned
Apr 09, 2026 - 19:15 euvd
EUVD-2026-21009
Analysis Generated
Apr 09, 2026 - 19:15 vuln.today
CVE Published
Apr 09, 2026 - 18:54 nvd
CRITICAL 9.2

DescriptionCVE.org

OpenPLC_V3 is vulnerable to an Initialization of a Resource with an Insecure Default vulnerability which could allow an attacker to gain access to the system by bypassing authentication via an API.

AnalysisAI

Authentication bypass in OpenPLC_V3 allows unauthenticated remote attackers to gain unauthorized system access through insecurely configured API endpoints. The vulnerability stems from insecure default resource initialization (CWE-1188), enabling complete circumvention of authentication mechanisms. Attackers can exploit this over the network with low attack complexity to achieve high confidentiality, integrity, and availability impact across vulnerable and subsequent systems. No public exploit identified at time of analysis.

Technical ContextAI

Root cause: insecure default initialization (CWE-1188) in API authentication layer. CVSS v4.0 vector confirms unauthenticated network attack (PR:N, AV:N) with cross-system impact (SC:L/SI:H/SA:H). Default credentials or missing authentication checks in API endpoints enable complete access control bypass without user interaction.

RemediationAI

No vendor-released patch identified at time of analysis. Immediate mitigation: disable or restrict network access to OpenPLC_V3 API endpoints via firewall rules permitting only trusted IP ranges. Implement reverse proxy with mandatory authentication layer before API. Change all default credentials if configurable. Monitor CISA ICS advisory ICSA-25-345-10 for vendor patch announcements: https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10. For production ICS environments, consider isolating affected systems on dedicated network segments with strict access controls until patches release.

Share

CVE-2026-28205 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy