CVE-2026-22903
Stack Buffer Overflow in Lighttpd SESSIONID Cookie Enables RCE
Publication date: 2026-02-09
Last updated on: 2026-02-09
Assigner: CERT VDE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lighttpd | lighttpd | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-22903 is a critical stack-based buffer overflow vulnerability in a modified lighttpd server used in the WAGO 852-1328 Industrial-Managed-Switch firmware version 2.64 and earlier. An unauthenticated remote attacker can send a specially crafted HTTP request containing an overly long SESSIONID cookie, which triggers the overflow. This can cause the server to crash and potentially allows the attacker to execute arbitrary code remotely.'}, {'type': 'paragraph', 'content': "The vulnerability also enables bypassing authentication controls and obtaining plaintext administrative credentials due to weaknesses in the device's web-based management interface."}] [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including remote code execution by attackers, crashing the web service, bypassing authentication mechanisms, and exposing plaintext administrative credentials. Such impacts can lead to full compromise of the affected device, unauthorized access, disruption of services, and potential further exploitation within the network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually long SESSIONID cookies in HTTP requests sent to the affected lighttpd server or the WAGO 852-1328 Industrial-Managed-Switch web interface.
Network detection can involve capturing HTTP traffic and inspecting cookie lengths for anomalies.
On the system hosting the vulnerable service, checking for crashes or abnormal behavior of the lighttpd server process may indicate exploitation attempts.
Specific commands are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate recommended mitigation is to update the firmware of the affected device (WAGO 852-1328 Industrial-Managed-Switch) to version 02.65 or later, which addresses this and other related vulnerabilities.
Until the update can be applied, restricting access to the web-based management interface and monitoring for suspicious activity may help reduce risk.