Description
Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a
Cross-Site Request Forgery (CSRF) vulnerability which, if exploited, can lead
to unauthorized modification of certain information.
Published: 2026-03-25
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of configuration via CSRF
Action: Apply Patch
AI Analysis

Impact

A Cross‑Site Request Forgery flaw permits an attacker to cause an authenticated user to submit a forged request to the device, potentially altering configuration settings. This weakness is identified as CWE‑352 and compromises the integrity of the system; it does not lead to remote code execution or denial of service.

Affected Systems

Ericsson Indoor Connect 8855 devices running firmware versions released prior to the 2025.Q3 update are affected. All builds before that firmware release contain the flaw, regardless of specific build number. Users should consult the Ericsson PSIRT references to determine the firmware build on their device.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, while the EPSS score of less than 1 % suggests a low likelihood of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. The most likely attack vector involves an attacker tricking an authenticated user into visiting a malicious page or clicking a crafted link that, when rendered by the user’s browser, submits a forged request to the device. Based on the description, it is inferred that the attacker needs an authenticated session to succeed; no remote exploitation is described.

Generated by OpenCVE AI on March 27, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update (2025.Q3 or newer) available from Ericsson to the Indoor Connect 8855.

Generated by OpenCVE AI on March 27, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Ericsson indoor Connect 8855 Firmware
CPEs cpe:2.3:h:ericsson:indoor_connect_8855:-:*:*:*:*:*:*:*
cpe:2.3:o:ericsson:indoor_connect_8855_firmware:*:*:*:*:*:*:*:*
Vendors & Products Ericsson indoor Connect 8855 Firmware
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Ericsson
Ericsson indoor Connect 8855
Vendors & Products Ericsson
Ericsson indoor Connect 8855

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Description Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a Cross-Site Request Forgery (CSRF) vulnerability which, if exploited, can lead to unauthorized modification of certain information.
Title Ericsson Indoor Connect 8855 - Cross-Site Request Forgery Vulnerability
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Ericsson Indoor Connect 8855 Indoor Connect 8855 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: ERIC

Published:

Updated: 2026-03-25T13:44:45.962Z

Reserved: 2025-04-16T08:59:01.744Z

Link: CVE-2025-40841

cve-icon Vulnrichment

Updated: 2026-03-25T13:44:40.816Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T14:16:30.403

Modified: 2026-03-27T18:29:38.210

Link: CVE-2025-40841

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:28:28Z

Weaknesses