Description
Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a cross-site request forgery vulnerability that allows attackers to modify device configuration by exploiting missing CSRF protections in setup.cgi. Attackers can host malicious pages that submit forged requests using automatically-included HTTP Basic Authentication credentials to add RADIUS accounts, alter network settings, or trigger diagnostics.
Published: 2026-03-16
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Configuration Change
Action: Apply Patch
AI Analysis

Impact

Hereta ETH‑IMC408M firmware version 1.0.15 and earlier are affected by a cross‑site request forgery (CSRF) vulnerability in the setup.cgi handler. The missing CSRF checks allow an attacker to host a malicious webpage that submits forged requests using the device’s automatically‑included HTTP Basic Authentication credentials. Successful exploitation can result in the creation of unauthorized RADIUS accounts, alteration of network settings, or triggering of diagnostics, effectively enabling attackers to modify configuration and potentially disrupt network services.

Affected Systems

Shenzhen Hereta Technology Co., Ltd. product Hereta ETH‑IMC408M is vulnerable when running firmware 1.0.15 or earlier. No additional vendor or product identifiers are listed.

Risk and Exploitability

With a CVSS score of 5.1 this vulnerability is classified as moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a web‑based CSRF attack; an attacker only needs to persuade a user with device credentials or rely on automatic credential inclusion to load a malicious page that submits requests to setup.cgi. No network‑level authentication is required beyond the HTTP Basic auth already configured on the device. Remote exploitation is possible via any network path that allows the attacker to reach the web interface.

Generated by OpenCVE AI on March 17, 2026 at 11:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Hereta ETH‑IMC408M firmware to a version that includes CSRF protection; obtain the latest firmware from the vendor’s website or support.
  • Restrict access to the device’s web management interface by placing the device behind a firewall or in a separate network segment accessible only to trusted administrators.
  • If immediate firmware upgrade is not available, disable HTTP Basic authentication on the web interface or block access to the setup.cgi endpoint to prevent automated credential injection.
  • Audit the device’s configuration logs for any unauthorized RADIUS accounts or network setting changes and restore the intended configuration if necessary.

Generated by OpenCVE AI on March 17, 2026 at 11:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Hereta
Hereta eth-imc408m
Hereta eth-imc408m Firmware
CPEs cpe:2.3:h:hereta:eth-imc408m:-:*:*:*:*:*:*:*
cpe:2.3:o:hereta:eth-imc408m_firmware:*:*:*:*:*:*:*:*
Vendors & Products Hereta
Hereta eth-imc408m
Hereta eth-imc408m Firmware

Tue, 17 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Shenzhen Hereta Technology
Shenzhen Hereta Technology hereta Eth-imc408m
Vendors & Products Shenzhen Hereta Technology
Shenzhen Hereta Technology hereta Eth-imc408m

Mon, 16 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a cross-site request forgery vulnerability that allows attackers to modify device configuration by exploiting missing CSRF protections in setup.cgi. Attackers can host malicious pages that submit forged requests using automatically-included HTTP Basic Authentication credentials to add RADIUS accounts, alter network settings, or trigger diagnostics.
Title Hereta ETH-IMC408M CSRF via Configuration Setup
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hereta Eth-imc408m Eth-imc408m Firmware
Shenzhen Hereta Technology Hereta Eth-imc408m
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-17T15:29:46.810Z

Reserved: 2026-03-04T15:39:26.873Z

Link: CVE-2026-29521

cve-icon Vulnrichment

Updated: 2026-03-16T18:11:00.428Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T18:16:08.500

Modified: 2026-04-10T17:42:56.420

Link: CVE-2026-29521

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:50:14Z

Weaknesses