CRITICAL🇵🇱 Wersja polska

CVE-2025-52689

CVSS 9.8v3.1pub. 2025-07-16upd. 2026-04-15

Successful exploitation of the vulnerability could allow an unauthenticated attacker to obtain a valid session ID with administrator privileges by spoofing the login request, potentially allowing the attacker to modify the behaviour of the access point.

🤖 AI Analysis
How it works

An attacker can spoof a login request, as a result of which the system grants them a valid session ID with administrator privilege level without the need to provide valid authentication credentials. This is a classic session fixation or session hijacking scenario where the session management mechanism does not properly verify the identity of the requester before granting a privileged session. A proof-of-concept (PoC) exploit is publicly available on GitHub.

Impact

An unauthenticated attacker remotely gains full administrative access to the access point, allowing modification of its configuration and behavior — including potentially redirecting network traffic, disabling security measures, or taking control of wireless infrastructure.

Mitigation & patch

Apply patches available from the manufacturer according to the references — detailed information is contained in the official Alcatel-Lucent Enterprise security bulletin (SA-N0150-OmniAccess-Stellar-Multiple-Vulnerabilities). Until patches are deployed, it is recommended to restrict access to the device management interface exclusively to trusted networks or hosts.

Who is affected

Alcatel-Lucent Enterprise OmniAccess Stellar devices — specific software versions indicated in the manufacturer's references (document SA-N0150).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References