Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionNVD
Improper comparison with the certificates trusted list in S2OPC allows an attacker well-formed untrusted certificate to be considered trusted
AnalysisAI
Improper certificate trust validation in Systerel S2OPC allows remote attackers to have well-formed but untrusted X.509 certificates accepted as trusted, undermining the OPC UA secure channel authentication model. CVSS 7.3 reflects network-reachable, unauthenticated exploitation with low impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. The flaw is reported by GitLab and tracked in Systerel's public issue tracker, with no CISA KEV listing.
Technical ContextAI
S2OPC is Systerel's open-source implementation of the OPC UA (IEC 62541) protocol stack, widely embedded in industrial automation, SCADA gateways, and IoT edge devices to provide secure machine-to-machine communication. OPC UA secure channels depend on X.509 certificate chains validated against a configured trust list and certificate revocation list during the OpenSecureChannel handshake. CWE-295 (Improper Certificate Validation) here manifests as a flawed comparison routine against the trusted list, so a syntactically valid certificate that should be rejected can pass the trust check, defeating the PKI assumptions underpinning client/server authentication in S2OPC-based deployments referenced by cpe:2.3:a:systerel:s2opc:*.
RemediationAI
Patch available per vendor advisory - track the Systerel issue at https://gitlab.com/systerel/S2OPC/-/work_items/1770 for the fixed S2OPC release and upgrade all client and server deployments to that version once tagged; the supplied data does not include an exact fix version, so verify against the upstream release notes before deployment. Until the patched build is rolled out, restrict OPC UA endpoints (TCP 4840 by default) to known-good network segments using firewall ACLs and OT-DMZ segmentation, which reduces the attacker population at the cost of breaking ad-hoc integrations. Additionally, prune the trust list to the minimum set of issuing CAs and pinned end-entity certificates required, and where the OPC UA application permits, switch to user-token authentication (username/password or X.509 user identity tokens) layered on top of channel security so that a single trust bypass does not yield session access; note that aggressive trust-list pruning can disrupt onboarding of new devices and requires updated operational procedures.
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36003
GHSA-q89f-427x-5p67