CVE-2025-3659

12.05.2025, 21:15

Improper authentication handling was identified in a set of HTTP POST requests affecting the following product families: 

  *  Digi PortServer TS - prior to and including 82000747_AA, build date 06/17/2022


  *  Digi One SP/Digi One SP IA/Digi One IA - prior to and including 82000774_Z, build date 10/19/2020


  *  Digi One IAP  prior to and including 82000770 Z, build date 10/19/2020




A specially crafted POST request to the devices web interface may allow an unauthenticated attacker to modify configuration settings.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
Digi	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 23%

Common Weakness Enumeration

CWE-287 - Improper Authentication
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

References

https://hub.digi.com/support/products/infrastructure-management/digi-one-iap-haz/

https://hub.digi.com/support/products/infrastructure-management/digi-one-sp-ia/

https://hub.digi.com/support/products/infrastructure-management/digi-portserver-ts/

https://www.digi.com/getattachment/Resources/Security/Alerts/Improper-authentication-handling-for-Digi-PortServ/improper-authentication-handling.pdf