CVE-2026-1523 - Vulnerability Details

- Path Traversal in Digitek from Grupo Azkoyen

Description

Path Traversal vulnerability in Digitek ADT1100 and Digitek DT950 from PRIMION DIGITEK, S.L.U (Azkoyen Group). This vulnerability allows an attacker to access arbitrary files in the server's file system, thet is, 'http://<host>/..%2F..% 2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd'. By manipulating the input to include URL encoded directory traversal sequences (e.g., %2F representing /), an attacker can bypass the input validation mechanisms ans retrieve sensitive files outside the intended directory, which could lead to information disclosure or further system compromise.

Published: 2026-02-05

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Path traversal in Digitek ADT1100 and Digitek DT950 allows an attacker to retrieve arbitrary files on the server by manipulating URL encoded traversal sequences. This flaw bypasses the input validation and can expose sensitive system files such as /etc/passwd, leading to information disclosure or further exploitation.

Affected Systems

All released versions of Primion Digitek’s Digitek ADT1100 and Digitek DT950 devices are affected. The vulnerability is present across all builds of the two products, as indicated by the CPE all_versions designation.

Risk and Exploitability

The vulnerability has a CVSS score of 8.7, indicating high severity, yet the EPSS probability is less than 1%, and it is not listed in the CISA KEV catalog. The likely attack vector is HTTP requests containing URL encoded traversal sequences sent to the device’s web interface. Based on the description, it is inferred that these requests do not require authentication, allowing an attacker to retrieve files outside the intended resource directory.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

PRIMION DIGITEK

Digitek ADT1100

unaffected

Version	Status	Constraints
`all versions`	affected	—

PRIMION DIGITEK

Digitek DT950

unaffected

Version	Status	Constraints
`all versions`	affected	—

No data.

No data available yet.

Remediation

Vendor Solution

The vulnerability has been fixed in the latest version of the affected products.

OpenCVE Recommended Actions

Apply the latest firmware or software update for Digitek ADT1100 and DT950, which contains the path traversal fix.
Configure the web server or device to serve only the intended directories and remove any unrestricted file serving capabilities.
Implement log monitoring to detect and alert on suspicious path traversal attempts, such as requests containing multiple encoded '/' characters.

Generated by OpenCVE AI on April 18, 2026 at 13:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00155.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/path-traversal-digitek-grupo-azkoyen

History

Thu, 05 Feb 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 05 Feb 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		Path Traversal vulnerability in Digitek ADT1100 and Digitek DT950 from PRIMION DIGITEK, S.L.U (Azkoyen Group). This vulnerability allows an attacker to access arbitrary files in the server's file system, thet is, 'http://<host>/..%2F..% 2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd'. By manipulating the input to include URL encoded directory traversal sequences (e.g., %2F representing /), an attacker can bypass the input validation mechanisms ans retrieve sensitive files outside the intended directory, which could lead to information disclosure or further system compromise.
Title		Path Traversal in Digitek from Grupo Azkoyen
First Time appeared		Primion Digitek Primion Digitek digitek Adt1100 Primion Digitek digitek Dt950
Weaknesses		CWE-22
CPEs		cpe:2.3:a:primion_digitek:digitek_adt1100:all_versions:::::::* cpe:2.3:a:primion_digitek:digitek_dt950:all_versions:::::::*
Vendors & Products		Primion Digitek Primion Digitek digitek Adt1100 Primion Digitek digitek Dt950
References		https://www.incibe.es/en/incibe-cert/notices/aviso/path-traversal-digitek-grupo-azkoyen
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Primion Digitek Digitek Adt1100 Digitek Dt950

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2026-02-05T13:16:30.583Z

Updated: 2026-02-05T14:29:09.926Z

Reserved: 2026-01-28T10:54:43.233Z

Link: CVE-2026-1523

Vulnrichment

Updated: 2026-02-05T14:26:33.334Z

NVD

Status : Deferred

Published: 2026-02-05T14:16:04.420

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1523

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T13:45:45Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object