CRITICAL🇵🇱 Wersja polska

CVE-2025-28242

CVSS 9.8v3.1pub. 2025-04-18upd. 2026-04-15

Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session hijacking attack.

🤖 AI Analysis
How it works

The /login_ok.htm endpoint in DAEnetIP4 METO v1.25 improperly manages user sessions (CWE-384 – Session Fixation). An attacker can exploit this flaw to hijack an active session of an authenticated user without needing to know their login credentials. The attack is possible remotely, without authentication, and without user interaction on the victim's side.

Impact

An attacker can hijack the session of a logged-in user and gain full access to device functions, which may lead to unauthorized configuration access, settings modification, and system availability breach.

Mitigation & patch

Apply patches available from the manufacturer according to references. Temporarily, it is recommended to restrict network access to the device management panel (e.g., through firewall or dedicated network segment) to minimize exploitation risk.

Who is affected

DAEnetIP4 METO version 1.25

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References