CVE-2026-27754
Received Received - Intake
MD5 Collision Enables Session Hijacking in SODOLA Firmware

Publication date: 2026-02-27

Last updated on: 2026-03-03

Assigner: VulnCheck

Description
SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 use the cryptographically broken MD5 hash function for session cookie generation, weakening session security. Attackers can exploit predictable session tokens combined with MD5's collision vulnerabilities to forge valid session cookies and gain unauthorized access to the device.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-27
Last Modified
2026-03-03
Generated
2026-06-16
AI Q&A
2026-02-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27754
EUVD
EUVD-2026-9044
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sodola-network sl902-swtgw124as_firmware to 200.1.20 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-328 The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in SODOLA SL902-SWTGW124AS firmware versions through 200.1.20, where the device uses the cryptographically broken MD5 hash function to generate session cookies.

Because MD5 is vulnerable to collisions and predictable outputs, attackers can exploit this weakness to forge valid session cookies.

This allows unauthorized users to gain access to the device by bypassing normal authentication mechanisms.

Impact Analysis

This vulnerability can lead to unauthorized access to the affected device.

Attackers who successfully forge session cookies can potentially control or manipulate the device without permission.

This compromises the confidentiality and integrity of the device's operations and any data it handles.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27754. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart