Skip to main content

Regesta Smart HD-PLC EUVDEUVD-2026-37576

| CVE-2026-27868 MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-06-17 HackRTU
6.9
CVSS 4.0 · Vendor: HackRTU
Share

Severity by source

Vendor (HackRTU) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Network-reachable endpoint requires no authentication and returns only version metadata, so PR:N, AV:N, C:L, and no integrity or availability impact apply.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (HackRTU).

CVSS VectorVendor: HackRTU

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 10:15 vuln.today

DescriptionCVE.org

An attacker with access via network to the Regesta Smart HD-PLC of the provider Teldat (in this case, NO registration action is required) who has the vulnerable software could obtain privilege information by using the command Version via the path: /upgrade/query.php?cmd=p+3&3Bversion resulting in a information disclosure. This issue affects Regesta Smart HD-PLC - TLDPH16D2: 11.02.05.10.02.

AnalysisAI

Unauthenticated information disclosure in the Teldat Regesta Smart HD-PLC (model TLDPH16D2, firmware 11.02.05.10.02) exposes version and privilege data via a PHP-based upgrade query endpoint accessible over the network without any login or registration. An attacker sends a crafted HTTP request to /upgrade/query.php?cmd=p+3&3Bversion and receives sensitive system metadata in the response, violating CWE-201 by returning information that should be restricted. No active exploitation has been confirmed (not in CISA KEV), and the direct impact is limited to confidentiality, but the exposed data can enable targeted follow-on attacks against this HD-PLC networking device.

Technical ContextAI

The Teldat Regesta Smart HD-PLC is a High Definition Power Line Communication networking device, identified by CPE cpe:2.3:a:teldat:regesta_smart_hd-plc_-_tldph16d2:*:*:*:*:*:*:*:*. The device runs a PHP-based web management interface that includes an upgrade/query subsystem at /upgrade/query.php. This endpoint accepts a cmd parameter and, when supplied with the Version command (p+3&3Bversion), responds with privilege-level and version information without enforcing any access control or session validation. The root cause is CWE-201 (Insertion of Sensitive Information Into Sent Data), meaning the application actively returns data that should be restricted - the endpoint is not merely leaking data incidentally but is designed to respond to the Version command without gating it behind authentication. This pattern is common in embedded device firmware where diagnostic or upgrade endpoints are implemented separately from the main authentication layer and inadvertently left exposed.

RemediationAI

A vendor-released patch is available per the HackRTU advisory at https://www.hackrtu.com/blog/CNA-CVE-2026-27868/ and via the Teldat customer support portal at https://support.teldat.com/portal/supportcontent. The exact fixed firmware version number was not specified in the available data, so administrators should contact Teldat support directly to obtain the corrected release and confirm the target version before deploying. As a compensating control pending patch deployment, administrators should restrict network access to the device's web management interface using firewall rules or ACLs that block external traffic to TCP port 80/443, specifically preventing access to the /upgrade/query.php path from untrusted network segments - be aware this may disrupt remote management workflows. If the device is deployed at a network perimeter, placing it behind a management VLAN or jump host will reduce exposure without functional impact to PLC data path traffic.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

EUVD-2026-37576 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy