Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities found for Hirschmann HiLCOS by Belden
CVE-2015-10148 (GCVE-0-2015-10148)
Vulnerability from nvd – Published: 2026-04-03 21:42 – Updated: 2026-04-06 13:11
VLAI?
Title
Hirschmann HiLCOS Hard-coded Credentials SSH SSL Keys
Summary
Hirschmann HiLCOS devices OpenBAT, WLC, BAT300, BAT54 prior to 8.80 and OpenBAT prior to 9.10 are shipped with identical default SSH and SSL keys that cannot be changed, allowing unauthenticated remote attackers to decrypt or intercept encrypted management communications. Attackers can perform man-in-the-middle attacks, impersonate devices, and expose sensitive information by leveraging the shared default cryptographic keys across multiple devices.
Severity ?
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Belden | Hirschmann HiLCOS |
Unaffected:
>= 9.10
(custom)
Affected: 0 , ≤ 9.00-RU1 (semver) Affected: 0 , ≤ 8.80 (semver) Affected: 0 , ≤ 8.60 (semver) |
Date Public ?
2015-12-11 00:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2015-10148",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T13:11:11.390412Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T13:11:22.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Hirschmann HiLCOS",
"vendor": "Belden",
"versions": [
{
"status": "unaffected",
"version": "\u003e= 9.10",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.00-RU1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.80",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.60",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2015-12-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Hirschmann HiLCOS devices OpenBAT, WLC, BAT300, BAT54 prior to 8.80 and OpenBAT prior to 9.10 are shipped with identical default SSH and SSL keys that cannot be changed, allowing unauthenticated remote attackers to decrypt or intercept encrypted management communications. Attackers can perform man-in-the-middle attacks, impersonate devices, and expose sensitive information by leveraging the shared default cryptographic keys across multiple devices."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321: Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T21:42:51.401Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://assets.belden.com/m/76d31798e65c9f47/original/Security-Bulletin-SSH-SSL-Default-Keys-HiLCOS-Hirschmann-BSECV-2015-12.pdf"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/hirschmann-hilcos-hard-coded-credentials-ssh-ssl-keys"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Hirschmann HiLCOS Hard-coded Credentials SSH SSL Keys"
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2015-10148",
"datePublished": "2026-04-03T21:42:51.401Z",
"dateReserved": "2026-04-03T21:32:33.851Z",
"dateUpdated": "2026-04-06T13:11:22.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2015-10148 (GCVE-0-2015-10148)
Vulnerability from cvelistv5 – Published: 2026-04-03 21:42 – Updated: 2026-04-06 13:11
VLAI?
Title
Hirschmann HiLCOS Hard-coded Credentials SSH SSL Keys
Summary
Hirschmann HiLCOS devices OpenBAT, WLC, BAT300, BAT54 prior to 8.80 and OpenBAT prior to 9.10 are shipped with identical default SSH and SSL keys that cannot be changed, allowing unauthenticated remote attackers to decrypt or intercept encrypted management communications. Attackers can perform man-in-the-middle attacks, impersonate devices, and expose sensitive information by leveraging the shared default cryptographic keys across multiple devices.
Severity ?
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Belden | Hirschmann HiLCOS |
Unaffected:
>= 9.10
(custom)
Affected: 0 , ≤ 9.00-RU1 (semver) Affected: 0 , ≤ 8.80 (semver) Affected: 0 , ≤ 8.60 (semver) |
Date Public ?
2015-12-11 00:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2015-10148",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T13:11:11.390412Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T13:11:22.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Hirschmann HiLCOS",
"vendor": "Belden",
"versions": [
{
"status": "unaffected",
"version": "\u003e= 9.10",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.00-RU1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.80",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.60",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2015-12-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Hirschmann HiLCOS devices OpenBAT, WLC, BAT300, BAT54 prior to 8.80 and OpenBAT prior to 9.10 are shipped with identical default SSH and SSL keys that cannot be changed, allowing unauthenticated remote attackers to decrypt or intercept encrypted management communications. Attackers can perform man-in-the-middle attacks, impersonate devices, and expose sensitive information by leveraging the shared default cryptographic keys across multiple devices."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321: Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T21:42:51.401Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://assets.belden.com/m/76d31798e65c9f47/original/Security-Bulletin-SSH-SSL-Default-Keys-HiLCOS-Hirschmann-BSECV-2015-12.pdf"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/hirschmann-hilcos-hard-coded-credentials-ssh-ssl-keys"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Hirschmann HiLCOS Hard-coded Credentials SSH SSL Keys"
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2015-10148",
"datePublished": "2026-04-03T21:42:51.401Z",
"dateReserved": "2026-04-03T21:32:33.851Z",
"dateUpdated": "2026-04-06T13:11:22.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}