CVE-2026-27755

CriticalPublic PoC

Published: 27 February 2026

Published

27 February 2026

Modified

03 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 35.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a weak session identifier generation vulnerability that allows attackers to forge authenticated sessions by computing predictable MD5-based cookies. Attackers who know or guess valid credentials can calculate the session identifier offline and bypass…

authentication without completing the login flow, gaining unauthorized access to the device.

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

Directly requires protection of communications session authenticity to prevent forgery via predictable session identifiers.

IA-5 Authenticator Management good match

prevent

Mandates secure generation and management of authenticators, including session cookies, to avoid predictable MD5-based identifiers that enable offline computation and forgery.

SI-2 Flaw Remediation good match

preventrecover

Requires timely identification, reporting, and correction of flaws such as weak session identifier generation in device firmware.

Security SummaryAI

CVE-2026-27755, published on 2026-02-27, is a weak session identifier generation vulnerability (CWE-330) affecting SODOLA SL902-SWTGW124AS firmware versions through 200.1.20. The device generates predictable MD5-based cookies for session identifiers, enabling attackers to forge authenticated sessions. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.

Remote attackers can exploit this vulnerability if they know or guess valid credentials. By computing the predictable session identifier offline, they bypass the normal login flow, forge an authenticated session, and gain unauthorized access to the device without requiring privileges, user interaction, or elevated complexity.

Advisories and mitigation details are referenced in the VulnCheck advisory at https://www.vulncheck.com/advisories/sodola-sl902-swtgw124as-predictable-session-id and the vendor product page at https://www.sodola-network.com/products/sodola-6-port-2-5g-easy-web-managed-switch-4-x-2-5g-base-t-ports-2-x-10g-sfp-static-aggregation-qos-vlan-igmp-2-5gb-network-home-lab-switch.

Details

CWE(s): CWE-330

Affected Products

sodola-network

sl902-swtgw124as firmware

≤ 200.1.20

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1606.001 Web Cookies Credential Access

Adversaries may forge web cookies that can be used to gain access to web applications or Internet services.

attack.mitre.org →

Why these techniques?

The vulnerability in the web management interface of the network switch enables exploitation of a public-facing application (T1190) via predictable session identifiers, directly facilitating the forging of web session cookies for unauthorized access (T1606.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.sodola-network.com/products/sodola-6-port-2-5g-easy-web-managed-switch-4-x-2-5g-base-t-ports-2-x-10g-sfp-static-aggregation-qos-vlan-igmp-2-5gb-network-home-lab-switch
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/sodola-sl902-swtgw124as-predictable-session-id
Third Party Advisory · disclosure@vulncheck.com