Skip to main content

Atop EHG2408 CVE-2026-3823

CRITICAL
Stack-based Buffer Overflow (CWE-121)
2026-03-09 twcert@cert.org.tw
9.3
CVSS 4.0 · Vendor: cert
Share

Severity by source

Vendor (cert) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Unauthenticated network-reachable stack overflow with no user interaction yields full code execution, so AV:N/AC:L/PR:N/UI:N and C/I/A all High; scope unchanged as impact stays on the device.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (cert).

CVSS VectorVendor: cert

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Jul 07, 2026 - 08:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 07, 2026 - 08:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 07, 2026 - 08:22 vuln.today
cvss_changed
Severity Changed
Jul 07, 2026 - 08:22 NVD
HIGH CRITICAL
CVSS changed
Jul 07, 2026 - 08:22 NVD
8.8 (HIGH) 9.3 (CRITICAL)
Analysis Generated
Mar 12, 2026 - 21:56 vuln.today
CVE Published
Mar 09, 2026 - 07:16 nvd
HIGH 8.8

DescriptionCVE.org

EHG2408 series switch developed by Atop Technologies has a Stack-based Buffer Overflow vulnerability, allowing unauthenticated remote attackers to control the program's execution flow and execute arbitrary code.

AnalysisAI

Remote code execution in Atop Technologies EHG2408-series industrial Ethernet switches (including the EHG2408 and EHG2408-2SFP firmware) allows unauthenticated attackers to hijack the device's execution flow via a stack-based buffer overflow and run arbitrary code. The flaw was reported through Taiwan's CERT (TWCERT) and carries a CVSS 4.0 base score of 9.3, reflecting fully unauthenticated network exploitation with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and the EPSS score is low (0.14%, 34th percentile), suggesting exploitation has not yet been observed at scale.

Technical ContextAI

The affected devices are Atop EHG2408 managed industrial Ethernet switches, commonly deployed in operational technology (OT) and industrial control environments for ruggedized network switching. The root cause is CWE-121 (Stack-based Buffer Overflow): a network-facing service on the switch firmware copies attacker-controlled input into a fixed-size stack buffer without adequate bounds checking, allowing the return address or saved registers on the call stack to be overwritten. CPE data identifies two firmware variants - cpe:2.3:o:blackbeartechhive:atop_ehg2408_firmware and cpe:2.3:o:blackbeartechhive:atop_ehg2408-2sfp_firmware - indicating the vulnerability resides in the embedded firmware rather than a specific application layer. On embedded RTOS/Linux switch firmware, such overflows frequently lead directly to code execution because these platforms often lack modern stack protections (stack canaries, ASLR, non-executable stack).

RemediationAI

Consult the TWCERT advisory (https://www.twcert.org.tw/en/cp-139-10753-e091e-2.html) and Atop Technologies for a patched firmware release and upgrade the EHG2408 and EHG2408-2SFP switches to the fixed version once available; no exact fix version was provided in the available data, so verify the target firmware version directly with the vendor. Because a specific patched version is not confirmed here, apply compensating controls in the interim: restrict access to the switch management and network-facing services to a dedicated, isolated management VLAN or OT segment and block reachability from IT/user and internet-facing networks (this prevents remote reach but requires an out-of-band or jump-host path for administration); place the device behind an access control list or firewall that limits which source hosts can reach management ports (side effect: legitimate management tooling must be enumerated and whitelisted); and disable any unused network services or management protocols on the switch to shrink the attack surface. Monitor the vendor and TWCERT pages for the released fixed firmware version.

Share

CVE-2026-3823 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy