Description
HiSecOS web server versions 03.4.00 prior to 04.1.00 contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to the administrator role by sending specially crafted packets to the web server. Attackers can exploit this flaw to gain full administrative access to the affected device.
Published: 2026-04-02
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows authenticated users with operator or auditor roles to send specially crafted packets to the HiSecOS web server and elevate their privileges to administrator. Once an attacker gains administrator access, they can fully control the device, modify system settings, access sensitive data, and potentially use the device as a pivot point for further network attacks. The weakness, identified as controlled privilege escalation, can compromise confidentiality, integrity, and availability of the system.

Affected Systems

Belden Hirschmann HiSecOS EAGLE devices running any web server build prior to version 04.1.00, including the 03.4.00 release and subsequent 04.0.x builds. The flaw applies to all builds below 04.1.00; no specific advisory lists additional vendors or product lines.

Risk and Exploitability

The CVSS score of 8.7 classifies this flaw as high severity. Exploitation requires that the attacker already possesses valid credentials with operator or auditor privileges, often limiting the threat to internal or compromised accounts. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog, yet because the flaw can grant full administrative control, the risk to exposed devices remains significant.

Generated by OpenCVE AI on April 3, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device firmware to version 04.1.00 or later to patch the privilege escalation flaw.
  • Restrict network access to the HiSecOS web interface to trusted users and blocks from untrusted networks.
  • If a firmware update cannot be performed immediately, disable or remove any unnecessary web server services and consider isolating the device from external networks.

Generated by OpenCVE AI on April 3, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Belden
Belden hirschmann Hisecos
Vendors & Products Belden
Belden hirschmann Hisecos

Thu, 02 Apr 2026 23:00:00 +0000

Type Values Removed Values Added
Description HiSecOS web server contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to the administrator role by sending specially crafted packets to the web server. Attackers can exploit this flaw to gain full administrative access to the affected device. HiSecOS web server versions 03.4.00 prior to 04.1.00 contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to the administrator role by sending specially crafted packets to the web server. Attackers can exploit this flaw to gain full administrative access to the affected device.
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

 cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description HiSecOS web server contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to the administrator role by sending specially crafted packets to the web server. Attackers can exploit this flaw to gain full administrative access to the affected device.
Title Belden HiSecOS Web Server Privilege Escalation
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Belden Hirschmann Hisecos
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-02T22:28:20.774Z

Reserved: 2026-04-01T21:24:27.566Z

Link: CVE-2023-7342

cve-icon Vulnrichment

Updated: 2026-04-02T19:15:09.121Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T19:16:52.790

Modified: 2026-04-03T16:10:23.730

Link: CVE-2023-7342

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:16:45Z

Weaknesses