<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>PortServer TS (&lt;Firmware_2025) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/portserver-ts-firmware_2025/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 07 Jul 2026 16:49:26 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/portserver-ts-firmware_2025/feed.xml" rel="self" type="application/rss+xml"/><item><title>Multiple Vulnerabilities in Digi International PortServer TS and Digi One SP IA Devices</title><link>https://feed.craftedsignal.io/briefs/2026-07-digi-international-vulnerabilities/</link><pubDate>Tue, 07 Jul 2026 16:49:26 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-digi-international-vulnerabilities/</guid><description>Multiple vulnerabilities, including CVE-2026-12352 (incorrect authorization) and CVE-2026-12948 (stored cross-site scripting), affect Digi International PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA devices with firmware prior to 2025, allowing unauthenticated bypass, access to restricted resources, credential acquisition, and client-side script execution in critical infrastructure environments.</description><content:encoded><![CDATA[<p>This CISA advisory details multiple vulnerabilities, CVE-2026-12352 and CVE-2026-12948, affecting Digi International PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA devices with firmware versions prior to 2025. An unauthenticated attacker can exploit CVE-2026-12352, an incorrect authorization vulnerability, to bypass authentication on the web management interface and gain access to restricted resources, potentially leading to credential acquisition. CVE-2026-12948 is a stored cross-site scripting (XSS) vulnerability that allows a remote, authenticated administrator to inject malicious scripts into system configuration fields. These scripts then execute in the browser of any user viewing the affected pages. The vulnerabilities pose a significant risk to critical infrastructure sectors including Manufacturing, Communications, Information Technology, and Transportation Systems, with devices deployed worldwide. While no active exploitation has been reported, successful attacks could lead to unauthorized control, data theft, and further compromise of operational technology environments.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access via Web Interface</strong>: An unauthenticated attacker targets the web management interface of a vulnerable Digi International PortServer TS, Digi One SP, Digi One SP IA, or Digi One IA device.</li>
<li><strong>Authentication Bypass (CVE-2026-12352)</strong>: The attacker exploits the incorrect authorization vulnerability (CVE-2026-12352) to bypass the device's authentication mechanisms.</li>
<li><strong>Access Restricted Resources</strong>: Upon successful bypass, the attacker gains unauthorized access to restricted administrative resources and potentially sensitive configuration or operational data on the device.</li>
<li><strong>Credential Acquisition</strong>: Through access to restricted resources (or other means), the attacker obtains valid administrative credentials for the device.</li>
<li><strong>Malicious Script Injection (CVE-2026-12948)</strong>: As an authenticated administrator, the attacker injects malicious scripts (e.g., JavaScript) into system configuration fields through the web management interface, leveraging the stored XSS vulnerability (CVE-2026-12948).</li>
<li><strong>Client-Side Script Execution</strong>: A legitimate user, such as an IT or OT operator, views the affected administrative web pages, causing the injected malicious script to execute within their browser session.</li>
<li><strong>Browser Session Compromise</strong>: The executed script allows the attacker to steal the legitimate user's session cookies, impersonate the user, or potentially redirect them to malicious sites for further credential phishing.</li>
<li><strong>Further Device Control or Data Exfiltration</strong>: Leveraging the compromised session or stolen credentials, the attacker could perform unauthorized configuration changes, exfiltrate sensitive device data, or maintain persistence within the OT network segment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of these vulnerabilities could lead to significant operational disruptions and security breaches within critical infrastructure sectors globally. An unauthenticated bypass (CVE-2026-12352) grants attackers access to restricted device resources, allowing for potential manipulation or theft of sensitive operational technology data and administrative credentials. The stored cross-site scripting (CVE-2026-12948) further enables attackers to compromise legitimate user browser sessions, potentially leading to additional credential theft or unauthorized actions in the browser context. Affected devices are deployed worldwide across Critical Manufacturing, Communications, Information Technology, and Transportation Systems. Digi International will not provide firmware fixes for CVE-2026-12948 for products nearing end-of-life, increasing long-term risk for organizations unable to upgrade.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade affected Digi International devices to Digi Connect EZ or Digi Connect EZ TS as a long-term solution recommended by the vendor for CVE-2026-12352 and CVE-2026-12948.</li>
<li>For Digi PortServer TS, enable HTTPS on the web server to mitigate exploitation of CVE-2026-12352 and CVE-2026-12948.</li>
<li>For Digi One SP / Digi One SP IA / Digi One IA, disable the web server when not actively used for configuration to mitigate CVE-2026-12352 and CVE-2026-12948.</li>
<li>Restrict access to the web management interface of affected devices via a firewall or VPN as a compensating control for CVE-2026-12352 and CVE-2026-12948.</li>
<li>Safeguard administrator credentials, as exploitation of CVE-2026-12948 requires authenticated administrator access for script injection.</li>
<li>Deploy affected devices on trusted network segments, ensuring they are not exposed to untrusted or public networks, as a general recommended practice for all vulnerabilities discussed.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>ics</category><category>ot</category><category>network</category><category>webserver</category><category>vulnerability</category><category>authentication-bypass</category><category>xss</category><category>critical-manufacturing</category><category>communications</category><category>information-technology</category><category>transportation-systems</category></item></channel></rss>