Description
Improper comparison with the certificates trusted list in S2OPC allows an attacker well-formed untrusted certificate to be considered trusted
Published: 2026-06-10
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper comparison against the trusted certificate list in Systerel’s S2OPC allows a well‑formed untrusted certificate to be treated as trusted. The flaw is an input validation error (CWE‑295) that lets an attacker masquerade as a legitimate identity, potentially enabling impersonation or unauthorized data access in applications that rely on S2OPC for secure communication. The change in trust status does not in itself decrypt data but it undermines the authentication layer that protects confidentiality, integrity, and availability of the OPC UA connection.

Affected Systems

Systerel S2OPC versions up to and including 1.7.2 are affected. The vendor recommends upgrading to any release newer than 1.7.2 to obtain the fix.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity that could be exploited remotely. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation has not yet been observed. However, because the flaw is exploitable by simply presenting a forged certificate over the network, the likely attack vector is remote network interaction with a S2OPC host. An attacker who can inject or supply a certificate during the TLS or OPC UA handshake could bypass authentication and gain unauthorized access to protected resources.

Generated by OpenCVE AI on June 10, 2026 at 15:30 UTC.

Remediation

Vendor Solution

Upgrade S2OPC to release version > 1.7.2

OpenCVE Recommended Actions

  • Upgrade S2OPC to release version 1.7.3 or later
  • Verify that the S2OPC configuration limits the trusted certificate list to known valid certificates and removes any untrusted certificates
  • Restrict network access to S2OPC‑enabled services to trusted hosts using firewall rules or network segmentation

Generated by OpenCVE AI on June 10, 2026 at 15:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Systerel
Systerel s2opc
Vendors & Products Systerel
Systerel s2opc

Wed, 10 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Improper comparison with the certificates trusted list in S2OPC allows an attacker well-formed untrusted certificate to be considered trusted
Title Improper Certificate Validation in S2OPC
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Systerel S2opc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-06-10T13:54:59.235Z

Reserved: 2026-05-27T18:03:27.169Z

Link: CVE-2026-9758

cve-icon Vulnrichment

Updated: 2026-06-10T13:54:53.167Z

cve-icon NVD

Status : Received

Published: 2026-06-10T14:16:37.767

Modified: 2026-06-10T14:16:37.767

Link: CVE-2026-9758

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:30:15Z

Weaknesses