Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session hijacking attack.
The /login_ok.htm endpoint in DAEnetIP4 METO v1.25 improperly manages user sessions (CWE-384 – Session Fixation). An attacker can exploit this flaw to hijack an active session of an authenticated user without needing to know their login credentials. The attack is possible remotely, without authentication, and without user interaction on the victim's side.
An attacker can hijack the session of a logged-in user and gain full access to device functions, which may lead to unauthorized configuration access, settings modification, and system availability breach.
Apply patches available from the manufacturer according to references. Temporarily, it is recommended to restrict network access to the device management panel (e.g., through firewall or dedicated network segment) to minimize exploitation risk.
DAEnetIP4 METO version 1.25
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H