Skip to main content

S2OPC EUVDEUVD-2026-36003

| CVE-2026-9758 HIGH
Improper Certificate Validation (CWE-295)
2026-06-10 GitLab GHSA-q89f-427x-5p67
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Patch available
Jun 10, 2026 - 15:01 EUVD
Analysis Generated
Jun 10, 2026 - 14:00 vuln.today

DescriptionNVD

Improper comparison with the certificates trusted list in S2OPC allows an attacker well-formed untrusted certificate to be considered trusted

AnalysisAI

Improper certificate trust validation in Systerel S2OPC allows remote attackers to have well-formed but untrusted X.509 certificates accepted as trusted, undermining the OPC UA secure channel authentication model. CVSS 7.3 reflects network-reachable, unauthenticated exploitation with low impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. The flaw is reported by GitLab and tracked in Systerel's public issue tracker, with no CISA KEV listing.

Technical ContextAI

S2OPC is Systerel's open-source implementation of the OPC UA (IEC 62541) protocol stack, widely embedded in industrial automation, SCADA gateways, and IoT edge devices to provide secure machine-to-machine communication. OPC UA secure channels depend on X.509 certificate chains validated against a configured trust list and certificate revocation list during the OpenSecureChannel handshake. CWE-295 (Improper Certificate Validation) here manifests as a flawed comparison routine against the trusted list, so a syntactically valid certificate that should be rejected can pass the trust check, defeating the PKI assumptions underpinning client/server authentication in S2OPC-based deployments referenced by cpe:2.3:a:systerel:s2opc:*.

RemediationAI

Patch available per vendor advisory - track the Systerel issue at https://gitlab.com/systerel/S2OPC/-/work_items/1770 for the fixed S2OPC release and upgrade all client and server deployments to that version once tagged; the supplied data does not include an exact fix version, so verify against the upstream release notes before deployment. Until the patched build is rolled out, restrict OPC UA endpoints (TCP 4840 by default) to known-good network segments using firewall ACLs and OT-DMZ segmentation, which reduces the attacker population at the cost of breaking ad-hoc integrations. Additionally, prune the trust list to the minimum set of issuing CAs and pinned end-entity certificates required, and where the OPC UA application permits, switch to user-token authentication (username/password or X.509 user identity tokens) layered on top of channel security so that a single trust bypass does not yield session access; note that aggressive trust-list pruning can disrupt onboarding of new devices and requires updated operational procedures.

Share

EUVD-2026-36003 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy