Description
Authentication bypass issue exists in OpenBlocks series versions prior to FW5.0.8, which may allow an attacker to bypass administrator authentication and change the password.
Published: 2026-01-06
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an authentication bypass that allows an attacker to change the administrator password without providing valid credentials. This flaw is a classic authentication bypass issue (CWE-288) and could enable an attacker to gain privileged control over the affected devices. The capability to alter the password means the attacker can later log in as an administrator, potentially compromising device configuration and data.

Affected Systems

Affected devices are Plat'Home Devices in the OpenBlocks series: IDM RX1, IX9, IoT DX1, IoT EX/BX, IoT FX1, and IoT VX2. All devices running firmware 5.0.x prior to version 5.0.8 are impacted. No other versions or vendors are listed as affected.

Risk and Exploitability

The CVSS score of 8.7 reflects a high severity level. The EPSS score is below 1%, indicating a low probability of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog. Based on the nature of the flaw and provided documentation, a likely attack vector involves accessing the device’s management interface over the network or locally; however, the exact attack path is not detailed in the description and is therefore inferred.

Generated by OpenCVE AI on April 18, 2026 at 20:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device firmware to version 5.0.8 or newer, following vendor release notes and guidance
  • Reboot the device after the firmware upgrade to ensure the new firmware is active and the authentication bypass is removed
  • If an update is not yet possible, limit network access to the device’s management interface and enforce strong authentication to reduce potential credential takeover

Generated by OpenCVE AI on April 18, 2026 at 20:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Allowing Administrator Password Modification

Tue, 06 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 07:00:00 +0000

Type Values Removed Values Added
Description Authentication bypass issue exists in OpenBlocks series versions prior to FW5.0.8, which may allow an attacker to bypass administrator authentication and change the password.
Weaknesses CWE-288
References
Metrics cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-01-06T14:49:01.813Z

Reserved: 2026-01-05T02:44:14.797Z

Link: CVE-2026-21411

cve-icon Vulnrichment

Updated: 2026-01-06T14:48:03.722Z

cve-icon NVD

Status : Deferred

Published: 2026-01-06T07:15:43.870

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-21411

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:15:09Z

Weaknesses