CVE-2026-29521 MEDIUM

CVE-2026-29521: Hereta ETH-IMC408M CSRF via Configuration Setup

Vendor Shenzhen Hereta Technology Co., Ltd.

Product Hereta ETH-IMC408M

Weakness CWE-352 · CSRF

Published March 16, 2026

Last update March 17, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a cross-site request forgery vulnerability that allows attackers to modify device configuration by exploiting missing CSRF protections in setup.cgi. Attackers can host malicious pages that submit forged requests using automatically-included HTTP Basic Authentication credentials to add RADIUS accounts, alter network settings, or trigger diagnostics.

Key dates

02Disclosure timeline

March 16, 2026 CVE published

March 17, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-29521 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/352.html

Related vulnerabilities

Identifiers

CVE CVE-2026-29521

CWE CWE-352

CVSS 5.1 / MEDIUM

Affected versions