Description
Hirschmann Industrial HiVision versions 06.0.00 and 07.0.00 prior to 06.0.06 and 07.0.01 contains an improper authorization vulnerability that allows read-only users to gain write access to managed devices by bypassing access control mechanisms. Attackers can exploit alternative interfaces such as the web interface or SNMP browser to modify device configurations despite having restricted permissions.
Published: 2026-04-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper authorization flaw that allows read‑only users to obtain write access to managed devices, enabling modification of device configurations. Attackers can exploit this via the web interface or SNMP browser, bypassing the intended access controls. This leads to unauthorized configuration changes, potentially compromising device integrity and control.

Affected Systems

Affected product is Belden Hirschmann Industrial HiVision firmware. Versions 06.0.00 and 07.0.00 are vulnerable, and the flaw remains in all releases prior to 06.0.06 and 07.0.01. Any device running these firmware versions with web or SNMP interfaces enabled is at risk.

Risk and Exploitability

The CVSS score of 7.1 rates this vulnerability as high severity. The EPSS score is less than 1%, indicating a low but non‑zero exploitation probability, and it has not been listed in the CISA KEV catalog. The exploit can be performed through standard management interfaces; the attack vector is inferred to be remote via web or SNMP, as implied by the description. Therefore, the risk remains significant for systems still operating unpatched firmware.

Generated by OpenCVE AI on May 12, 2026 at 23:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device firmware to at least version 06.0.06 or 07.0.01, which contain the fix for the authorization flaw.
  • If an upgrade is not immediately feasible, restrict or disable web interface and SNMP access for read‑only accounts, or move read‑only users to accounts that cannot connect to those interfaces.
  • Monitor device logs for unauthorized configuration changes and audit access control settings.
  • Validate that other management interfaces are secured and that no additional privileged access is available to read‑only users.

Generated by OpenCVE AI on May 12, 2026 at 23:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}

 cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Belden
Belden hirschmann Industrial Hivision
Vendors & Products Belden
Belden hirschmann Industrial Hivision

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description Hirschmann Industrial HiVision versions 06.0.00 and 07.0.00 prior to 06.0.06 and 07.0.01 contains an improper authorization vulnerability that allows read-only users to gain write access to managed devices by bypassing access control mechanisms. Attackers can exploit alternative interfaces such as the web interface or SNMP browser to modify device configurations despite having restricted permissions.
Title Hirschmann Industrial HiVision Improper Authorization Privilege Escalation
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Belden Hirschmann Industrial Hivision
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-12T20:46:16.070Z

Reserved: 2026-04-03T22:02:22.395Z

Link: CVE-2017-20238

cve-icon Vulnrichment

Updated: 2026-04-06T18:00:44.393Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-03T23:17:00.633

Modified: 2026-04-07T13:20:55.200

Link: CVE-2017-20238

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:15:27Z

Weaknesses