CVE-2025-3659 CRITICAL

CVE-2025-3659: Improper authentication handling for Digi PortServer TS; Digi One SP, SP IA, IA; Digi One IAP

Vendor Digi International
Product Digi PortServer TS
Weakness CWE-287 · Improper authentication
Published May 12, 2025
Last update May 12, 2025

CVSS base score

9.4/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L

What the vulnerability does

01Description

Improper authentication handling was identified in a set of HTTP POST requests affecting the following product families: * Digi PortServer TS - prior to and including 82000747_AA, build date 06/17/2022 * Digi One SP/Digi One SP IA/Digi One IA - prior to and including 82000774_Z, build date 10/19/2020 * Digi One IAP – prior to and including 82000770 Z, build date 10/19/2020 A specially crafted POST request to the device’s web interface may allow an unauthenticated attacker to modify configuration settings.

Key dates

02Disclosure timeline

May 12, 2025 CVE published
May 12, 2025 Record updated