Digi International PortServer TS, Digi One SP IA
Summary
Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and gain access to restricted resources, obtain credentials, and inject malicious scripts.
The following versions of Digi International PortServer TS, Digi One SP IA are affected:
- PortServer TS
- Digi One SP
- Digi One SP IA
- Digi One IA
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 5.9 | Digi International | Digi International PortServer TS, Digi One SP IA | Incorrect Authorization, Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
Background
- Critical Infrastructure Sectors: Critical Manufacturing, Communications, Information Technology, Transportation Systems
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: United States
Vulnerabilities
CVE-2026-12352
The vulnerability allows an unauthenticated actor to bypass authentication and gain access to restricted resources on the device.
Affected Products
Digi International PortServer TS, Digi One SP IA
Digi International
Digi International PortServer TS: <Firmware_2025, Digi International Digi One SP: <Firmware_2025, Digi International Digi One SP IA: <Firmware_2025, Digi International Digi One IA: <Firmware_2025
known_affected
Remediations
Mitigation
Digi International recommends users upgrade to Digi Connect EZ or Digi Connect EZ TS as a long term solution. If users are not able to upgrade at this time, the following actions should be taken:
Vendor fix
For Digi PortServer TS: Enable HTTPS on the web server.
Mitigation
Alternatively, disable the web server when it is not actively being used for configuration.
Mitigation
Compensating control: If you cannot apply the HTTPS configuration, restrict access via firewall or VPN.
Vendor fix
For Digi One SP / Digi One SP IA / Digi One IA: Disable the web server. If you cannot apply the HTTPS configuration, restrict access via firewall or VPN.
Mitigation
The following deployment practices are the recommended means of reducing exposure: Deploy the device on a trusted network segment, not exposed to untrusted or public networks.
Mitigation
Place the device behind a firewall or VPN and restrict access to the web management interface to trusted administrative hosts only.
Mitigation
Safeguard administrator credentials, since exploitation requires authenticated administrator access to write the affected fields.
Mitigation
For assistance users should contact Digi International’s support team https://www.digi.com/support.
https://www.digi.com/support
Relevant CWE: CWE-863 Incorrect Authorization
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 4.0 | 8.2 | HIGH | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |

