PT-2025-20739 · Digi · Digi One Sp Ia+4
Published
2025-05-12
·
Updated
2025-05-12
·
CVE-2025-3659
CVSS v4.0
9.4
Critical
| Vector | AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Digi PortServer TS versions prior to and including 82000747 AA, build date 06/17/2022
Digi One SP/Digi One SP IA/Digi One IA versions prior to and including 82000774 Z, build date 10/19/2020
Digi One IAP versions prior to and including 82000770 Z, build date 10/19/2020
Description
Improper authentication handling was identified in a set of HTTP POST requests. A specially crafted POST request to the device’s web interface may allow an unauthenticated attacker to modify configuration settings.
Recommendations
For Digi PortServer TS versions prior to and including 82000747 AA, build date 06/17/2022, update to a version later than 82000747 AA.
For Digi One SP/Digi One SP IA/Digi One IA versions prior to and including 82000774 Z, build date 10/19/2020, update to a version later than 82000774 Z.
For Digi One IAP versions prior to and including 82000770 Z, build date 10/19/2020, update to a version later than 82000770 Z.
As a temporary workaround, consider restricting access to the device’s web interface to prevent unauthenticated attackers from modifying configuration settings.
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Digi One Ia
Digi One Iap
Digi One Sp
Digi One Sp Ia
Digi Portserver Ts