Description
Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a reflected cross-site scripting vulnerability in the Network Diagnosis ping function that allows attackers to execute arbitrary JavaScript. Attackers can craft malicious links with injected script payloads in the ping_ipaddr parameter to compromise authenticated administrator sessions when the links are visited.
Published: 2026-03-16
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Reflected XSS
Action: Apply Patch
AI Analysis

Impact

Hereta ETH‑IMC408M firmware version 1.0.15 and earlier contain a reflected cross‑site scripting vulnerability (CWE‑79) in the Network Diagnosis ping function. The flaw allows an attacker to inject arbitrary JavaScript into the ping_ipaddr parameter. When an authenticated administrator visits a crafted link, the script executes within the administrator’s browser session, potentially enabling arbitrary code execution on the device or within the administrator’s context.

Affected Systems

The vulnerability affects devices from Shenzhen Hereta Technology Co., Ltd., specifically the Hereta ETH‑IMC408M model. Firmware versions 1.0.15 and earlier are vulnerable; any unit running these versions remains susceptible until updated.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. EPSS data is unavailable and the flaw is not listed in the CISA KEV catalog, suggesting limited real‑world exploitation evidence. Exploitation requires an authenticated administrator to click a malicious link, making it a client‑side XSS scenario. If the link is visited, the exploit succeeds; otherwise the vulnerability remains dormant. Overall risk is moderate but should be mitigated promptly to prevent potential compromise of administrator sessions.

Generated by OpenCVE AI on March 17, 2026 at 12:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and install the latest firmware update from Shenzhen Hereta Technology.
  • If an official fix is not yet available, disable or restrict the Network Diagnosis ping function in the device’s web interface.
  • Limit administrator access to trusted networks and enforce strong authentication mechanisms.
  • Educate system administrators to avoid clicking suspicious links.
  • Monitor the device for anomalous activity.

Generated by OpenCVE AI on March 17, 2026 at 12:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Hereta
Hereta eth-imc408m
Hereta eth-imc408m Firmware
CPEs cpe:2.3:h:hereta:eth-imc408m:-:*:*:*:*:*:*:*
cpe:2.3:o:hereta:eth-imc408m_firmware:*:*:*:*:*:*:*:*
Vendors & Products Hereta
Hereta eth-imc408m
Hereta eth-imc408m Firmware

Tue, 17 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Shenzhen Hereta Technology
Shenzhen Hereta Technology hereta Eth-imc408m
Vendors & Products Shenzhen Hereta Technology
Shenzhen Hereta Technology hereta Eth-imc408m

Mon, 16 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a reflected cross-site scripting vulnerability in the Network Diagnosis ping function that allows attackers to execute arbitrary JavaScript. Attackers can craft malicious links with injected script payloads in the ping_ipaddr parameter to compromise authenticated administrator sessions when the links are visited.
Title Hereta ETH-IMC408M Reflected XSS via ping_ipaddr Parameter
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Hereta Eth-imc408m Eth-imc408m Firmware
Shenzhen Hereta Technology Hereta Eth-imc408m
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-17T15:29:29.391Z

Reserved: 2026-03-04T15:39:26.872Z

Link: CVE-2026-29520

cve-icon Vulnrichment

Updated: 2026-03-16T18:09:13.372Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T18:16:08.347

Modified: 2026-04-10T17:43:45.847

Link: CVE-2026-29520

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:50:13Z

Weaknesses