Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Adjacent network required (AV:A); admin portal access implies full config read (C:H) and write (I:H); no direct availability impact described.
Primary rating from Vendor (airbus).
CVSS VectorVendor: airbus
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was discovered on Stormshield Network Security 4.3.0 to 4.3.41 (included), 4.4.0 to 4.8.15 (included) , 5.0.2 EA to 5.0.5 (included)
A revoked client certificate can still be used to authenticate to the captive‑admin portal, allowing an attacker who possesses the revoked certificate to gain administrative access.
AnalysisAI
Administrative access to the Stormshield Network Security captive-admin portal is bypassed when an attacker presents a revoked client certificate, because the portal does not enforce certificate revocation checks during TLS mutual authentication. Affected versions span three branches: 4.3.0-4.3.41, 4.4.0-4.8.15, and 5.0.2 EA-5.0.5. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Three specific prerequisites must be met: (1) the attacker must possess a client certificate that was previously issued for authentication to the SNS captive-admin portal and has since been revoked - arbitrary certificates or certificates for other systems are not usable; (2) the attacker must have adjacent network access to the captive-admin portal's listening interface (AV:A - not exploitable from the open internet unless the portal is explicitly internet-exposed, which would be atypical for a management interface); (3) the target SNS instance must be running one of the affected version branches (4.3.0-4.3.41, 4.4.0-4.8.15, or 5.0.2 EA-5.0.5) with the captive-admin portal feature active. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 score of 4.3 (Medium, AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) significantly understates real-world impact for environments using client certificate authentication for SNS administration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A former administrator whose client certificate was revoked after offboarding connects to the internal management network segment hosting the SNS captive-admin portal. Using standard TLS client tooling (e.g., curl with the certificate and key files), they authenticate to the portal - the portal accepts the revoked certificate without checking revocation status and grants full administrative access to the firewall appliance. … |
| Remediation | Consult the Stormshield advisory at https://advisories.stormshield.eu/2026-002/ for the vendor-released patch; the exact fixed version number is not specified in available intelligence and cannot be independently confirmed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Stormshield Network Security
View allzlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header
The L2TP implementation of MPD before 5.9 allows a remote attacker who can send specifically crafted L2TP control packet
The PPP implementation of MPD before 5.9 allows a remote attacker who can send specifically crafted PPP authentication m
On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the HFS+ p
An issue was discovered in Stormshield Network Security (SNS) before 5.0.1. Rated high severity (CVSS 7.5), this vulnera
An issue was discovered in Stormshield Network Security (SNS) before 4.3.17, 4.4.x through 4.6.x before 4.6.4, and 4.7.x
An issue was discovered in Stormshield Network Security (SNS) SNS 4.3.13 through 4.3.22 before 4.3.23, SNS 4.6.0 through
ASQ in Stormshield Network Security (SNS) 4.3.15 before 4.3.16 and 4.6.x before 4.6.3 allows a crash when analysing a cr
strongSwan before 5.9.8 allows remote attackers to cause a denial of service in the revocation plugin by sending a craft
Flooding SNS firewall versions 3.7.0 to 3.7.29, 3.11.0 to 3.11.17, 4.2.0 to 4.2.10, and 4.3.0 to 4.3.6 with specific for
An issue was discovered in Stormshield Network Security (SNS) 4.3.x before 4.3.8. Rated high severity (CVSS 7.5), this v
In Stormshield Network Security (SNS) before 3.7.25, 3.8.x through 3.11.x before 3.11.13, 4.x before 4.2.10, and 4.3.x b
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41043
GHSA-2j5q-9jw8-9qj5