Description
SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication vulnerability that allows authenticated users to change account passwords without verifying the current password. Attackers who gain access to an authenticated session can modify credentials to maintain persistent access to the management interface.
Published: 2026-02-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated password changes without verification enable attackers to maintain persistent access or lock out legitimate users.
Action: Assess
AI Analysis

Impact

The firmware of the SODOLA SL902‑SWTGW124AS network switch up to version 200.1.20 contains an authentication vulnerability that allows an authenticated user to change account passwords without first verifying the current password. This weakness enables an attacker who has accessed the web‑based management interface to alter credentials, maintaining long‑term control of the device or denying legitimate users access by changing or deleting their passwords.

Affected Systems

Shenzhen Hongyavision Technology Co., Ltd. (Sodola Networks) customers using the SODOLA SL902‑SWTGW124AS array switch with firmware versions 200.1.20 or earlier are impacted.

Risk and Exploitability

The problem scores a CVSS score of 7.1 and an EPSS score of less than 1 %, indicating a moderate severity but a low probability of exploitation at the time of analysis. It is not listed in CISA’s KEV catalog. The likely attack path requires an authenticated session to the management interface; the attacker can then change credentials without confirmation, implying that remote authenticated access is sufficient. This risk is mitigated primarily by ensuring the firmware is updated beyond the vulnerable version or by implementing additional controls as outlined below.

Generated by OpenCVE AI on April 17, 2026 at 13:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the switch firmware to a version newer than 200.1.20 that includes the password‑verification fix when it becomes available.
  • If an update is unfeasible, immediately change all administrative passwords and enforce strong password policies; restrict management access to trusted internal networks and/or VPNs.
  • Disable or restrict the web management interface from external or untrusted networks to limit the window for authenticated exploitation.
  • Monitor user accounts for unexpected password changes and audit management activity logs for suspicious activity.

Generated by OpenCVE AI on April 17, 2026 at 13:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Sodola-network
Sodola-network sl902-swtgw124as
Sodola-network sl902-swtgw124as Firmware
CPEs cpe:2.3:h:sodola-network:sl902-swtgw124as:-:*:*:*:*:*:*:*
cpe:2.3:o:sodola-network:sl902-swtgw124as_firmware:*:*:*:*:*:*:*:*
Vendors & Products Sodola-network
Sodola-network sl902-swtgw124as
Sodola-network sl902-swtgw124as Firmware

Mon, 02 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Sodolanetworks
Sodolanetworks sodola Sl902-swtgw124as Firmware
CPEs cpe:2.3:o:sodolanetworks:sodola_sl902-swtgw124as_firmware:*:*:*:*:*:*:*:*
Vendors & Products Sodolanetworks
Sodolanetworks sodola Sl902-swtgw124as Firmware

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Shenzhen Hongyavision Technology Co
Shenzhen Hongyavision Technology Co sodola Sl902-swtgw124as
Vendors & Products Shenzhen Hongyavision Technology Co
Shenzhen Hongyavision Technology Co sodola Sl902-swtgw124as

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Description SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication vulnerability that allows authenticated users to change account passwords without verifying the current password. Attackers who gain access to an authenticated session can modify credentials to maintain persistent access to the management interface.
Title SODOLA SL902-SWTGW124AS <= 200.1.20 Unverified Password Change
Weaknesses CWE-620
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Shenzhen Hongyavision Technology Co Sodola Sl902-swtgw124as
Sodola-network Sl902-swtgw124as Sl902-swtgw124as Firmware
Sodolanetworks Sodola Sl902-swtgw124as Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-02T17:30:06.948Z

Reserved: 2026-02-23T21:38:48.842Z

Link: CVE-2026-27757

cve-icon Vulnrichment

Updated: 2026-02-27T18:58:21.834Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T19:16:09.990

Modified: 2026-03-03T19:09:01.163

Link: CVE-2026-27757

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:00:15Z

Weaknesses