CVE-2026-8980
Description
The Mennekes Amtron series (firmware versions ≤ 5.22.3) is vulnerable to privilege escalation. An authenticated low-privileged user can change the passwords of the admin (operator) and manufacturer accounts via crafted POST requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated low-privileged user can change admin and manufacturer account passwords in Mennekes Amtron series via crafted POST requests.
Vulnerability
The Mennekes Amtron series, specifically firmware versions ≤ 5.22.3, contains a privilege escalation vulnerability. An authenticated low-privileged user can send crafted POST requests to change the passwords of the admin (operator) and manufacturer accounts. Affected models include Amtron Professional, Amtron Professional (Eichrecht), Amedio Professional, Amtron Charge Control, Amtron Professional Twincharge, and Smart-T PnC. [1]
Exploitation
An attacker must first obtain a low-privileged session on the device. With network access, they send a POST request (e.g., to /operator/operator) containing the new password parameter (e.g., UserPwdPlain_custom=asdf). No additional authentication or special privileges are required beyond the existing low-privileged session. [1]
Impact
Successful exploitation allows the attacker to gain full administrative control over the device. This can lead to complete device takeover, loss of access control over the charging infrastructure, and potential service disruptions. Confidentiality, integrity, and availability of the system are compromised. [1]
Mitigation
As of the publication date, no patched firmware version has been released. The vendor, Mennekes, has not disclosed a workaround. Users are advised to contact Mennekes for updates and to restrict network access to the affected devices. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog. [1]
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: ≤5.22.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization checks on the settings endpoint allow a low-privileged user to overwrite admin and manufacturer account passwords."
Attack vector
An authenticated low-privileged attacker sends crafted POST requests to the `/json/settings.json` endpoint with JSON payloads containing the keys `OperatorPwdPlain_custom` or `ManufacturerPwd_custom` and a new password value [ref_id=1]. The endpoint does not verify that the requesting user has the required privileges to change accounts with higher roles. The attacker only needs a valid session token (Authorization header) obtained through normal low-privileged authentication, and network access to the device's web interface.
Affected code
The vulnerable endpoint is `/json/settings.json`, which accepts JSON payloads with parameters such as `OperatorPwdPlain_custom` and `ManufacturerPwd_custom` [ref_id=1]. The advisory does not specify the server-side function or file responsible for handling this endpoint.
What the fix does
The advisory does not include a patch or vendor fix details [ref_id=1]. The remediation would require the `/json/settings.json` endpoint to enforce role-based authorization checks before allowing password changes for the operator (admin) and manufacturer accounts. Only users with the corresponding high-privilege role should be permitted to modify those account credentials.
Preconditions
- authAttacker must be authenticated as a low-privileged user on the device.
- networkAttacker must have network access to the device's web interface.
Reproduction
1. Authenticate as a low-privileged user and capture a valid Authorization token. 2. Send a POST request to `http://<target>/json/settings.json` with the JSON body `{"params":[{"key":"OperatorPwdPlain_custom","value":"asd"}]}` and the captured Authorization header. 3. Send a POST request to the same endpoint with the JSON body `{"params":[{"key":"ManufacturerPwd_custom","value":"asd"}]}`. 4. The admin (operator) and manufacturer account passwords are now changed to "asd", granting the attacker full control [ref_id=1].
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.