CVE-2024-26153

High

Published: 17 January 2025

Published

17 January 2025

Modified

30 July 2025

KEV Added

—

Patch

—

CVSS Score 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

EPSS Score 0.0016 37.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

All versions of ETIC Telecom Remote Access Server (RAS) prior to 4.9.19 are vulnerable to cross-site request forgery (CSRF). An external attacker with no access to the device can force the end user into submitting a "setconf" method request, not requiring any CSRF token, which can lead into denial of service on the device.

Security Summary

CVE-2024-26153 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting all versions of ETIC Telecom Remote Access Server (RAS) prior to 4.9.19. The issue stems from the "setconf" method request lacking any CSRF token requirement, allowing forged requests to be processed.

An external attacker requires no access or privileges on the device (PR:N) and can exploit this over the network (AV:N) with low complexity (AC:L), but it demands user interaction (UI:R). By tricking an authenticated end user into submitting the forged request—such as via a malicious webpage—the attacker achieves a denial of service (A:H) on the device, with a changed scope (S:C) and no impact on confidentiality or integrity (C:N/I:N). The CVSS v3.1 base score is 7.4.

The CISA ICS Advisory ICSA-22-307-01 provides further details on this vulnerability at https://www.cisa.gov/news-events/ics-advisories/icsa-22-307-01. Updating to ETIC Telecom RAS version 4.9.19 or later addresses the issue.

Details

CWE(s): CWE-352

Affected Products

etictelecom

remote access server firmware

≤ 4.9.19

References

https://www.cisa.gov/news-events/ics-advisories/icsa-22-307-01
Third Party Advisory, US Government Resource · ics-cert@hq.dhs.gov