Description
Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a cross-site request forgery vulnerability that allows attackers to modify device configuration by exploiting missing CSRF protections in setup.cgi. Attackers can host malicious pages that submit forged requests using automatically-included HTTP Basic Authentication credentials to add RADIUS accounts, alter network settings, or trigger diagnostics.
Published: 2026-03-16
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: configuration modification via CSRF
Action: Patch Now
AI Analysis

Impact

A flaw in the device’s configuration web interface allows attackers to perform cross‑site request forgery because the setup.cgi script lacks protection. The vulnerability enables unauthorized modification of device settings, including the addition of RADIUS accounts, changes to network parameters, or triggering diagnostic procedures. This weakness is classified as a CSRF issue and directly compromises the integrity of the device configuration.

Affected Systems

The affected product is the Hereta ETH‑IMC408M network device produced by Shenzhen Hereta Technology Co., Ltd. firmware version 1.0.15 and all earlier releases are vulnerable.

Risk and Exploitability

With a CVSS score of 5.1 the risk is moderate, and the EPSS score of less than 1% indicates that exploitation is unlikely. The flaw is not listed in CISA’s KEV catalog. Attackers would need to persuade a user to visit a malicious web page that auto‑submits requests using the device’s HTTP Basic Authentication credentials, suggesting a browser‑based attack vector that does not require driver or privilege escalation.

Generated by OpenCVE AI on April 10, 2026 at 18:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Hereta website or vendor support portal for a firmware update that addresses the CSRF flaw and apply the update if available.
  • If no updated firmware is released, limit access to the configuration interface to trusted internal networks, disable automatic Basic Authentication where possible, or otherwise restrict web access to the device from the public internet.

Generated by OpenCVE AI on April 10, 2026 at 18:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Hereta
Hereta eth-imc408m
Hereta eth-imc408m Firmware
CPEs cpe:2.3:h:hereta:eth-imc408m:-:*:*:*:*:*:*:*
cpe:2.3:o:hereta:eth-imc408m_firmware:*:*:*:*:*:*:*:*
Vendors & Products Hereta
Hereta eth-imc408m
Hereta eth-imc408m Firmware

Tue, 17 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Shenzhen Hereta Technology
Shenzhen Hereta Technology hereta Eth-imc408m
Vendors & Products Shenzhen Hereta Technology
Shenzhen Hereta Technology hereta Eth-imc408m

Mon, 16 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a cross-site request forgery vulnerability that allows attackers to modify device configuration by exploiting missing CSRF protections in setup.cgi. Attackers can host malicious pages that submit forged requests using automatically-included HTTP Basic Authentication credentials to add RADIUS accounts, alter network settings, or trigger diagnostics.
Title Hereta ETH-IMC408M CSRF via Configuration Setup
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hereta Eth-imc408m Eth-imc408m Firmware
Shenzhen Hereta Technology Hereta Eth-imc408m
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-17T15:29:46.810Z

Reserved: 2026-03-04T15:39:26.873Z

Link: CVE-2026-29521

cve-icon Vulnrichment

Updated: 2026-03-16T18:11:00.428Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T18:16:08.500

Modified: 2026-04-10T17:42:56.420

Link: CVE-2026-29521

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:28:31Z

Weaknesses