Atop EHG2408 CVE-2026-3823
CRITICALSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network-reachable stack overflow with no user interaction yields full code execution, so AV:N/AC:L/PR:N/UI:N and C/I/A all High; scope unchanged as impact stays on the device.
Primary rating from Vendor (cert).
CVSS VectorVendor: cert
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
EHG2408 series switch developed by Atop Technologies has a Stack-based Buffer Overflow vulnerability, allowing unauthenticated remote attackers to control the program's execution flow and execute arbitrary code.
AnalysisAI
Remote code execution in Atop Technologies EHG2408-series industrial Ethernet switches (including the EHG2408 and EHG2408-2SFP firmware) allows unauthenticated attackers to hijack the device's execution flow via a stack-based buffer overflow and run arbitrary code. The flaw was reported through Taiwan's CERT (TWCERT) and carries a CVSS 4.0 base score of 9.3, reflecting fully unauthenticated network exploitation with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and the EPSS score is low (0.14%, 34th percentile), suggesting exploitation has not yet been observed at scale.
Technical ContextAI
The affected devices are Atop EHG2408 managed industrial Ethernet switches, commonly deployed in operational technology (OT) and industrial control environments for ruggedized network switching. The root cause is CWE-121 (Stack-based Buffer Overflow): a network-facing service on the switch firmware copies attacker-controlled input into a fixed-size stack buffer without adequate bounds checking, allowing the return address or saved registers on the call stack to be overwritten. CPE data identifies two firmware variants - cpe:2.3:o:blackbeartechhive:atop_ehg2408_firmware and cpe:2.3:o:blackbeartechhive:atop_ehg2408-2sfp_firmware - indicating the vulnerability resides in the embedded firmware rather than a specific application layer. On embedded RTOS/Linux switch firmware, such overflows frequently lead directly to code execution because these platforms often lack modern stack protections (stack canaries, ASLR, non-executable stack).
RemediationAI
Consult the TWCERT advisory (https://www.twcert.org.tw/en/cp-139-10753-e091e-2.html) and Atop Technologies for a patched firmware release and upgrade the EHG2408 and EHG2408-2SFP switches to the fixed version once available; no exact fix version was provided in the available data, so verify the target firmware version directly with the vendor. Because a specific patched version is not confirmed here, apply compensating controls in the interim: restrict access to the switch management and network-facing services to a dedicated, isolated management VLAN or OT segment and block reachability from IT/user and internet-facing networks (this prevents remote reach but requires an out-of-band or jump-host path for administration); place the device behind an access control list or firewall that limits which source hosts can reach management ports (side effect: legitimate management tooling must be enumerated and whitelisted); and disable any unused network services or management protocols on the switch to shrink the attack surface. Monitor the vendor and TWCERT pages for the released fixed firmware version.
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today