Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable endpoint requires no authentication and returns only version metadata, so PR:N, AV:N, C:L, and no integrity or availability impact apply.
Primary rating from Vendor (HackRTU).
CVSS VectorVendor: HackRTU
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An attacker with access via network to the Regesta Smart HD-PLC of the provider Teldat (in this case, NO registration action is required) who has the vulnerable software could obtain privilege information by using the command Version via the path: /upgrade/query.php?cmd=p+3&3Bversion resulting in a information disclosure. This issue affects Regesta Smart HD-PLC - TLDPH16D2: 11.02.05.10.02.
AnalysisAI
Unauthenticated information disclosure in the Teldat Regesta Smart HD-PLC (model TLDPH16D2, firmware 11.02.05.10.02) exposes version and privilege data via a PHP-based upgrade query endpoint accessible over the network without any login or registration. An attacker sends a crafted HTTP request to /upgrade/query.php?cmd=p+3&3Bversion and receives sensitive system metadata in the response, violating CWE-201 by returning information that should be restricted. No active exploitation has been confirmed (not in CISA KEV), and the direct impact is limited to confidentiality, but the exposed data can enable targeted follow-on attacks against this HD-PLC networking device.
Technical ContextAI
The Teldat Regesta Smart HD-PLC is a High Definition Power Line Communication networking device, identified by CPE cpe:2.3:a:teldat:regesta_smart_hd-plc_-_tldph16d2:*:*:*:*:*:*:*:*. The device runs a PHP-based web management interface that includes an upgrade/query subsystem at /upgrade/query.php. This endpoint accepts a cmd parameter and, when supplied with the Version command (p+3&3Bversion), responds with privilege-level and version information without enforcing any access control or session validation. The root cause is CWE-201 (Insertion of Sensitive Information Into Sent Data), meaning the application actively returns data that should be restricted - the endpoint is not merely leaking data incidentally but is designed to respond to the Version command without gating it behind authentication. This pattern is common in embedded device firmware where diagnostic or upgrade endpoints are implemented separately from the main authentication layer and inadvertently left exposed.
RemediationAI
A vendor-released patch is available per the HackRTU advisory at https://www.hackrtu.com/blog/CNA-CVE-2026-27868/ and via the Teldat customer support portal at https://support.teldat.com/portal/supportcontent. The exact fixed firmware version number was not specified in the available data, so administrators should contact Teldat support directly to obtain the corrected release and confirm the target version before deploying. As a compensating control pending patch deployment, administrators should restrict network access to the device's web management interface using firewall rules or ACLs that block external traffic to TCP port 80/443, specifically preventing access to the /upgrade/query.php path from untrusted network segments - be aware this may disrupt remote management workflows. If the device is deployed at a network perimeter, placing it behind a management VLAN or jump host will reduce exposure without functional impact to PLC data path traffic.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37576