CVE-2018-25236
Received Received - Intake
Authentication Bypass in Hirschmann HiOS HTTP(S) Management Module

Publication date: 2026-04-03

Last updated on: 2026-04-03

Assigner: VulnCheck

Description
Hirschmann HiOS and HiSecOS products RSP, RSPE, RSPS, RSPL, MSP, EES, EESX, GRS, OS, RED, EAGLE contain an authentication bypass vulnerability in the HTTP(S) management module that allows unauthenticated remote attackers to gain administrative access by crafting specially formed HTTP requests. Attackers can exploit improper authentication handling to obtain the authentication status and privileges of a previously authenticated user without providing valid credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-04-04
EPSS Evaluated
2026-06-14
NVD
CVE-2018-25236
EUVD
EUVD-2018-21730
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
hirschmann hios *
hirschmann hisecos *
hirschmann rsp *
hirschmann rspe *
hirschmann rsps *
hirschmann rspl *
hirschmann msp *
hirschmann ees *
hirschmann eesx *
hirschmann grs *
hirschmann os *
hirschmann red *
hirschmann eagle *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Hirschmann HiOS and HiSecOS products' HTTP(S) management module. It is an authentication bypass flaw that allows unauthenticated remote attackers to gain administrative access by sending specially crafted HTTP requests.

The issue arises from improper authentication handling, enabling attackers to obtain the authentication status and privileges of a previously authenticated user without needing valid credentials.

Impact Analysis

An attacker exploiting this vulnerability can gain administrative access to affected Hirschmann devices remotely without authentication.

This can lead to unauthorized control over the device, potentially allowing the attacker to change configurations, disrupt network operations, or access sensitive information.

Compliance Impact

This vulnerability allows unauthenticated remote attackers to gain administrative access by bypassing authentication in Hirschmann HiOS and HiSecOS products. Such unauthorized access can lead to exposure, modification, or deletion of sensitive data.

As a result, organizations using affected products may face challenges in maintaining compliance with common standards and regulations such as GDPR and HIPAA, which require strict access controls and protection of sensitive information.

Failure to prevent unauthorized administrative access could lead to data breaches, potentially violating data protection requirements and resulting in legal and financial consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25236. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart