{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/communications/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":5.9,"id":"CVE-2026-12352"},{"id":"CVE-2026-12948"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PortServer TS (\u003cFirmware_2025)","Digi One SP (\u003cFirmware_2025)","Digi One SP IA (\u003cFirmware_2025)","Digi One IA (\u003cFirmware_2025)"],"_cs_severities":["high"],"_cs_tags":["ics","ot","network","webserver","vulnerability","authentication-bypass","xss","critical-manufacturing","communications","information-technology","transportation-systems"],"_cs_type":"threat","_cs_vendors":["Digi International"],"content_html":"\u003cp\u003eThis CISA advisory details multiple vulnerabilities, CVE-2026-12352 and CVE-2026-12948, affecting Digi International PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA devices with firmware versions prior to 2025. An unauthenticated attacker can exploit CVE-2026-12352, an incorrect authorization vulnerability, to bypass authentication on the web management interface and gain access to restricted resources, potentially leading to credential acquisition. CVE-2026-12948 is a stored cross-site scripting (XSS) vulnerability that allows a remote, authenticated administrator to inject malicious scripts into system configuration fields. These scripts then execute in the browser of any user viewing the affected pages. The vulnerabilities pose a significant risk to critical infrastructure sectors including Manufacturing, Communications, Information Technology, and Transportation Systems, with devices deployed worldwide. While no active exploitation has been reported, successful attacks could lead to unauthorized control, data theft, and further compromise of operational technology environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access via Web Interface\u003c/strong\u003e: An unauthenticated attacker targets the web management interface of a vulnerable Digi International PortServer TS, Digi One SP, Digi One SP IA, or Digi One IA device.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Bypass (CVE-2026-12352)\u003c/strong\u003e: The attacker exploits the incorrect authorization vulnerability (CVE-2026-12352) to bypass the device's authentication mechanisms.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccess Restricted Resources\u003c/strong\u003e: Upon successful bypass, the attacker gains unauthorized access to restricted administrative resources and potentially sensitive configuration or operational data on the device.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Acquisition\u003c/strong\u003e: Through access to restricted resources (or other means), the attacker obtains valid administrative credentials for the device.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Script Injection (CVE-2026-12948)\u003c/strong\u003e: As an authenticated administrator, the attacker injects malicious scripts (e.g., JavaScript) into system configuration fields through the web management interface, leveraging the stored XSS vulnerability (CVE-2026-12948).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eClient-Side Script Execution\u003c/strong\u003e: A legitimate user, such as an IT or OT operator, views the affected administrative web pages, causing the injected malicious script to execute within their browser session.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBrowser Session Compromise\u003c/strong\u003e: The executed script allows the attacker to steal the legitimate user's session cookies, impersonate the user, or potentially redirect them to malicious sites for further credential phishing.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFurther Device Control or Data Exfiltration\u003c/strong\u003e: Leveraging the compromised session or stolen credentials, the attacker could perform unauthorized configuration changes, exfiltrate sensitive device data, or maintain persistence within the OT network segment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could lead to significant operational disruptions and security breaches within critical infrastructure sectors globally. An unauthenticated bypass (CVE-2026-12352) grants attackers access to restricted device resources, allowing for potential manipulation or theft of sensitive operational technology data and administrative credentials. The stored cross-site scripting (CVE-2026-12948) further enables attackers to compromise legitimate user browser sessions, potentially leading to additional credential theft or unauthorized actions in the browser context. Affected devices are deployed worldwide across Critical Manufacturing, Communications, Information Technology, and Transportation Systems. Digi International will not provide firmware fixes for CVE-2026-12948 for products nearing end-of-life, increasing long-term risk for organizations unable to upgrade.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade affected Digi International devices to Digi Connect EZ or Digi Connect EZ TS as a long-term solution recommended by the vendor for CVE-2026-12352 and CVE-2026-12948.\u003c/li\u003e\n\u003cli\u003eFor Digi PortServer TS, enable HTTPS on the web server to mitigate exploitation of CVE-2026-12352 and CVE-2026-12948.\u003c/li\u003e\n\u003cli\u003eFor Digi One SP / Digi One SP IA / Digi One IA, disable the web server when not actively used for configuration to mitigate CVE-2026-12352 and CVE-2026-12948.\u003c/li\u003e\n\u003cli\u003eRestrict access to the web management interface of affected devices via a firewall or VPN as a compensating control for CVE-2026-12352 and CVE-2026-12948.\u003c/li\u003e\n\u003cli\u003eSafeguard administrator credentials, as exploitation of CVE-2026-12948 requires authenticated administrator access for script injection.\u003c/li\u003e\n\u003cli\u003eDeploy affected devices on trusted network segments, ensuring they are not exposed to untrusted or public networks, as a general recommended practice for all vulnerabilities discussed.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T16:49:26Z","date_published":"2026-07-07T16:49:26Z","id":"https://feed.craftedsignal.io/briefs/2026-07-digi-international-vulnerabilities/","summary":"Multiple vulnerabilities, including CVE-2026-12352 (incorrect authorization) and CVE-2026-12948 (stored cross-site scripting), affect Digi International PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA devices with firmware prior to 2025, allowing unauthenticated bypass, access to restricted resources, credential acquisition, and client-side script execution in critical infrastructure environments.","title":"Multiple Vulnerabilities in Digi International PortServer TS and Digi One SP IA Devices","url":"https://feed.craftedsignal.io/briefs/2026-07-digi-international-vulnerabilities/"}],"language":"en","title":"CraftedSignal Threat Feed - Communications","version":"https://jsonfeed.org/version/1.1"}