Description
Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a reflected cross-site scripting vulnerability in the Network Diagnosis ping function that allows attackers to execute arbitrary JavaScript. Attackers can craft malicious links with injected script payloads in the ping_ipaddr parameter to compromise authenticated administrator sessions when the links are visited.
Published: 2026-03-16
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

Hereta ETH‑IMC408M firmware versions 1.0.15 and earlier expose a reflected cross‑site scripting flaw in the network diagnosis ping feature. Attackers can embed arbitrary JavaScript into the ping_ipaddr field, causing the script to run in the context of any administrator who visits the crafted link. If an administrator executes the link, the attacker can steal session cookies, capture credentials, or perform other malicious actions on the device.

Affected Systems

The vulnerability affects Shenzhen Hereta Technology Co., Ltd. devices running the ETH‑IMC408M hardware with firmware version 1.0.15 or earlier. These units are used in enterprise networking environments.

Risk and Exploitability

The issue scores a moderate CVSS of 5.1 and an EPSS below 1 %, indicating limited likelihood of widespread exploitation. The flaw is not listed in CISA’s KEV catalog. Attackers need to place the malicious URL in front of an authenticated administrator or rely on social engineering to get the link clicked. Once executed, the injected code runs with the privileges of the affected user, enabling theft of credentials and further compromise of the network management system.

Generated by OpenCVE AI on April 10, 2026 at 18:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Hereta firmware update that addresses the XSS flaw
  • If no update is currently available, disable or restrict the ping function to trusted users only, or remove the ping_ipaddr parameter from the web interface
  • Configure a web application firewall or input sanitization rule to block scripts in the ping_ipaddr parameter
  • Educate administrators to avoid clicking unknown or untrusted links

Generated by OpenCVE AI on April 10, 2026 at 18:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Hereta
Hereta eth-imc408m
Hereta eth-imc408m Firmware
CPEs cpe:2.3:h:hereta:eth-imc408m:-:*:*:*:*:*:*:*
cpe:2.3:o:hereta:eth-imc408m_firmware:*:*:*:*:*:*:*:*
Vendors & Products Hereta
Hereta eth-imc408m
Hereta eth-imc408m Firmware

Tue, 17 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Shenzhen Hereta Technology
Shenzhen Hereta Technology hereta Eth-imc408m
Vendors & Products Shenzhen Hereta Technology
Shenzhen Hereta Technology hereta Eth-imc408m

Mon, 16 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a reflected cross-site scripting vulnerability in the Network Diagnosis ping function that allows attackers to execute arbitrary JavaScript. Attackers can craft malicious links with injected script payloads in the ping_ipaddr parameter to compromise authenticated administrator sessions when the links are visited.
Title Hereta ETH-IMC408M Reflected XSS via ping_ipaddr Parameter
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Hereta Eth-imc408m Eth-imc408m Firmware
Shenzhen Hereta Technology Hereta Eth-imc408m
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-17T15:29:29.391Z

Reserved: 2026-03-04T15:39:26.872Z

Link: CVE-2026-29520

cve-icon Vulnrichment

Updated: 2026-03-16T18:09:13.372Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T18:16:08.347

Modified: 2026-04-10T17:43:45.847

Link: CVE-2026-29520

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:28:30Z

Weaknesses