CVE-2024-26155

All versions of ETIC Telecom Remote Access Server (RAS) prior to 4.5.0 expose clear text credentials in the web portal. An attacker can access the ETIC RAS web portal and view the HTML code, which is configured to be hidden, thus allowing a connection to the ETIC RAS ssh server, which could enable an attacker to perform actions on the device.

CVSS v3 6.8 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-22-307-01	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:o:etictelecom:remote_access_server_firmware:*:*:*:*:*:*:*:*

History

30 Jul 2025, 17:11

Type	Values Removed	Values Added
Summary		(es) Todas las versiones de ETIC Telecom Remote Access Server (RAS) anteriores a la 4.5.0 exponen credenciales de texto sin formato en el portal web. Un atacante puede acceder al portal web de ETIC RAS ??y ver el código HTML, que está configurado para estar oculto, lo que permite una conexión al servidor ssh de ETIC RAS, lo que podría permitir a un atacante realizar acciones en el dispositivo.
References	~~() https://www.cisa.gov/news-events/ics-advisories/icsa-22-307-01 -~~	() https://www.cisa.gov/news-events/ics-advisories/icsa-22-307-01 - Third Party Advisory, US Government Resource
CPE		cpe:2.3:o:etictelecom:remote_access_server_firmware::::::::
First Time		Etictelecom remote Access Server Firmware Etictelecom

17 Jan 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-17 17:15

Updated : 2025-07-30 17:11

NVD link : CVE-2024-26155

Mitre link : CVE-2024-26155

CVE.ORG link : CVE-2024-26155

JSON object : View

Products Affected

etictelecom

remote_access_server_firmware

CWE

CWE-319

Cleartext Transmission of Sensitive Information

{"id": "CVE-2024-26155", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-01-17T17:15:11.327", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-307-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-319"}]}], "descriptions": [{"lang": "en", "value": "All versions of ETIC Telecom Remote Access Server (RAS) prior to 4.5.0 \nexpose clear text credentials in the web portal. An attacker can access \nthe ETIC RAS web portal and view the HTML code, which is configured to \nbe hidden, thus allowing a connection to the ETIC RAS ssh server, which \ncould enable an attacker to perform actions on the device."}, {"lang": "es", "value": "Todas las versiones de ETIC Telecom Remote Access Server (RAS) anteriores a la 4.5.0 exponen credenciales de texto sin formato en el portal web. Un atacante puede acceder al portal web de ETIC RAS ??y ver el c\u00f3digo HTML, que est\u00e1 configurado para estar oculto, lo que permite una conexi\u00f3n al servidor ssh de ETIC RAS, lo que podr\u00eda permitir a un atacante realizar acciones en el dispositivo."}], "lastModified": "2025-07-30T17:11:39.190", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:etictelecom:remote_access_server_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "60117720-6063-4797-8E19-A3256111ED16", "versionEndExcluding": "4.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}