Skip to main content

Digi PortServer TS EUVDEUVD-2026-42047

| CVE-2026-12352 MEDIUM
Incorrect Authorization (CWE-863)
2026-07-07 Digi GHSA-jmv4-p83r-grw3
5.9
CVSS 3.1 · Vendor: Digi
Share

Severity by source

Vendor (Digi) PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.9 MEDIUM

Remote unauthenticated bypass with unspecified preconditions (AC:H); no integrity or availability impact described, only confidentiality exposure.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Digi).

CVSS VectorVendor: Digi

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 15:28 vuln.today

DescriptionCVE.org

This vulnerability allows an unauthenticated actor to bypass authentication and gain access to restricted resources on the device.

AnalysisAI

Authentication bypass in Digi International PortServer TS 1/2/4 and Digi One SP/SP IA/IA serial device servers permits remote unauthenticated attackers to circumvent authorization controls and access restricted device resources. The CVSS vector (AV:N/AC:H/PR:N/UI:N) confirms remote, credential-free exploitation but places High Attack Complexity on the flaw, indicating specific preconditions must be met - limiting opportunistic or automated mass exploitation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify network-accessible Digi device management interface
Delivery
Craft authorization-bypass request meeting AC:H preconditions
Exploit
Trigger CWE-863 incorrect authorization check
Execution
Access restricted device resources
Impact
Harvest configuration data or serial credentials

Vulnerability AssessmentAI

Exploitation The CVSS vector (AV:N/AC:H/PR:N/UI:N) confirms that exploitation is remote and requires no credentials or user interaction, but AC:H establishes that specific preconditions beyond the attacker's direct control must be present. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 5.9 (Medium) is primarily shaped by AC:H, which substantially reduces exploitation ease from what a network-accessible, no-auth bypass would otherwise suggest. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker with network-level access to a Digi PortServer TS or Digi One SP management interface crafts a specially formatted request that exploits the incorrect authorization logic, meeting the AC:H preconditions - such as a specific timing window, parameter sequence, or request structure - to bypass access controls without credentials. The attacker gains read access to restricted device resources, potentially including stored configuration data, serial communication logs, or credentials for connected serial equipment. …
Remediation Consult the Digi International security advisory at https://www.digi.com/resources/security for firmware patches and exact remediated version numbers, as confirmed patched versions are not available in the current data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42047 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy