VYPR
advisoryPublished Jul 7, 2026· 1 source

Digi International Devices Vulnerable to Authentication Bypass and Cross-Site Scripting

CISA has issued an advisory for multiple Digi International devices, including PortServer TS, Digi One SP, and Digi One IA, due to two critical vulnerabilities.

CISA has released an advisory detailing two significant vulnerabilities affecting several Digi International devices, including the PortServer TS, Digi One SP, and Digi One IA series. These flaws, identified as CVE-2026-12352 and CVE-2026-12948, pose risks of unauthorized access, credential theft, and script injection within industrial and critical infrastructure environments.

CVE-2026-12352 is an incorrect authorization vulnerability that allows an unauthenticated attacker to bypass the device's authentication mechanisms. This bypass grants the attacker access to restricted resources, potentially enabling them to gain control or exfiltrate sensitive information without needing any credentials. The CVSS v3.1 score for this vulnerability is 5.9 (MEDIUM), with a CVSS 4.0 score of 8.2 (HIGH), indicating a significant threat.

The second vulnerability, CVE-2026-12948, is a stored cross-site scripting (XSS) flaw. This vulnerability affects the web management interface and allows an authenticated administrator to inject malicious scripts. These scripts are then stored and can be executed in the browsers of other users who view the affected configuration pages. While this requires administrator privileges to exploit, it can lead to further compromise, credential harvesting, or manipulation of the management interface.

These vulnerabilities impact specific firmware versions of the Digi International PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA devices, all of which are listed as known affected. The affected products are deployed globally across critical infrastructure sectors such as Critical Manufacturing, Communications, Information Technology, and Transportation Systems.

Digi International has provided remediation guidance, recommending an upgrade to Digi Connect EZ or Digi Connect EZ TS as a long-term solution. For users unable to upgrade immediately, several mitigations are suggested. For the PortServer TS, enabling HTTPS on the web server is advised, or alternatively, disabling the web server when not in use. For the Digi One SP, Digi One SP IA, and Digi One IA devices, disabling the web server is the primary recommendation if HTTPS cannot be configured. In all cases, restricting access via a firewall or VPN is a crucial compensating control.

Furthermore, CISA emphasizes best practices for reducing exposure, including deploying these devices on trusted network segments, never exposing them to untrusted or public networks, and placing them behind a firewall or VPN. Access to the web management interface should be strictly limited to trusted administrative hosts. Safeguarding administrator credentials is also paramount, as exploitation of CVE-2026-12948 requires such access.

Notably, Digi International will not provide a firmware fix for CVE-2026-12948, as the affected products are nearing their end-of-life. This underscores the urgency for organizations to migrate to newer, supported hardware like the Digi Connect EZ series to ensure ongoing security.

This advisory highlights the persistent security challenges within the Industrial Internet of Things (IIoT) and operational technology (OT) sectors, where legacy devices often remain in operation, presenting attractive targets for attackers. The combination of authentication bypass and XSS vulnerabilities in network-attached devices underscores the need for continuous monitoring, robust access controls, and proactive patching or replacement strategies.

Synthesized by Vypr AI