Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a cross-site request forgery vulnerability that allows attackers to modify device configuration by exploiting missing CSRF protections in setup.cgi. Attackers can host malicious pages that submit forged requests using automatically-included HTTP Basic Authentication credentials to add RADIUS accounts, alter network settings, or trigger diagnostics.
AnalysisAI
Hereta ETH-IMC408M devices running firmware 1.0.15 and earlier are vulnerable to cross-site request forgery attacks that allow unauthenticated remote attackers to modify device configuration through setup.cgi, including adding RADIUS accounts and altering network settings. The vulnerability exploits missing CSRF protections combined with automatic inclusion of HTTP Basic Authentication credentials, requiring only user interaction to trigger the attack. No patch is currently available.
Technical ContextAI
Cross-Site Request Forgery forces authenticated users to perform unintended actions by tricking their browser into sending forged requests. This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352).
RemediationAI
Implement anti-CSRF tokens for all state-changing operations. Use SameSite cookie attribute. Verify the Origin/Referer header on the server side.
More in Eth Imc408M Firmware
View allReflected XSS in Hereta ETH-IMC408M firmware versions 1.0.15 and earlier enables attackers to inject malicious scripts t
Stored XSS in Hereta ETH-IMC408M firmware v1.0.15 and earlier allows authenticated users to execute arbitrary JavaScript
Stored XSS in Hereta ETH-IMC408M firmware versions 1.0.15 and earlier enables authenticated attackers to execute arbitra
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12464