CVE-2025-15620 PUBLISHED

HiOS Switch Platform Denial-of-Service via Web Interface

Assigner: VulnCheck
Reserved: 01.04.2026 Published: 02.04.2026 Updated: 03.04.2026

HiOS Switch Platform versions 09.1.00 prior to 09.4.05 and 10.3.01 contains a denial-of-service vulnerability in the web interface that allows remote attackers to reboot the affected device by sending a malicious HTTP GET request to a specific endpoint. Attackers can trigger an uncontrolled reboot condition through crafted HTTP requests to cause service disruption and unavailability of the switch.

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVSS Score: 9.3

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
CVSS Score: 9.2

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Belden
Product	Hirschmann HiOS Switch Platform
Versions	Default: unaffected affected from 09.1.00 to 09.4.05 (incl.) affected from 10.0.00 to 10.3.01 (incl.)

References

Belden Security Advisories

Problem Types

CWE-306 Missing Authentication for Critical Function CWE