6.5 CVE-2026-27754
Enriched by CISA Privilege Escalation
SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 use the cryptographically broken MD5 hash function for session cookie generation, weakening session security. Attackers can exploit predictable session tokens combined with MD5's collision vulnerabilities to forge valid session cookies and gain unauthorized access to the device.
https://nvd.nist.gov/vuln/detail/CVE-2026-27754
Categories
CWE-328 : Use of Weak Hash
The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack). Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Programmable Logic Controller (PLC) uses a protocol with a cryptographically insecure hashing algorithm for passwords. SHA-1 algorithm is not collision-resistant. DNS product uses a weak hash (CRC32 or SHA-1) of the query name, allowing attacker to forge responses by computing domain names with the same hash. blogging product uses MD5-based algorithm for passwords. forging of certificate signatures using SHA-1 collisions. mobile app for backup sends SHA-1 hash of password in cleartext. Hard-coded hashed values for username and password contained in client-side script, allowing brute-force offline attacks.
References
AFFECTED (from MITRE)
| Vendor |
Product |
Versions |
| Shenzhen Hongyavision Technology Co., Ltd. (Sodola Networks) |
SODOLA SL902-SWTGW124AS |
|
| © 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. |
CPE
REMEDIATION
EXPLOITS
Exploit-db.com
| id |
description |
date |
|
| No known exploits |
POC Github
Other Nist (github, ...)
CAPEC
Common Attack Pattern Enumerations and Classifications
| id |
description |
severity |
| 461 |
Web Services API Signature Forgery Leveraging Hash Function Extension Weakness
An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by generating their own call in order to generate a legitimate signature hash (as described in the notes), without knowledge of the secret token sometimes provided by the web service. [Find a vulnerable web service] The adversary finds a web service that uses a vulnerable authentication scheme, where an authentication token is concatenated with the parameters of a request and then hashed [Attempt adding padding to parameters] An adversary tests if they can simply add padding to the parameters of a request such that the request is technically changed, with the hash remaining the same [Add malicious parameters to request] Add malicious parameters to a captured request in addition to what is already present. Do this by exploiting the padding weakness of the hash function and send the request to the web service so that it believes it is authenticated and acts on the extra parameters. |
High |
| 68 |
Subvert Code-signing Facilities
Many languages use code signing facilities to vouch for code's identity and to thus tie code to its assigned privileges within an environment. Subverting this mechanism can be instrumental in an attacker escalating privilege. Any means of subverting the way that a virtual machine enforces code signing classifies for this style of attack. |
Very High |
MITRE
Techniques
| id |
description |
| T1553.002 |
Subvert Trust Controls:Code Signing |
| © 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. |
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
Discover this offer
