Planet Technology reports security flaws in their network products
Take action: If you are using Planet Technology products, review the advisory in detail for affected models. Make sure the devices are isolated from the internet and accessible only from trusted networks. Then plan a patch cycle, some of the flaws are quite embarrassing and easy to exploit - like the hard-coded credentials.
Learn More
Planet Technology has recently addressed multiple critical security vulnerabilities affecting various network products in their portfolio. These vulnerabilities pose significant risks to organizations using the affected devices, as they could allow remote attackers to gain unauthorized access, execute commands, and compromise systems with minimal effort.
The following Planet Technology products and versions are vulnerable:
- UNI-NMS-Lite: Versions 1.0b211018 and prior
- NMS-500: All Versions
- NMS-1000V: All Versions
- WGS-804HPT-V2: Versions 2.305b250121 and prior
- WGS-4215-8T2S: Versions 1.305b241115 and prior
The following critical vulnerabilities have been identified:
- CVE-2025-46271 (CVSS score 9.3): OS Command Injection vulnerability in UNI-NMS-Lite that allows unauthenticated attackers to read or manipulate device data.
- CVE-2025-46272 (CVSS score 9.3): OS Command Injection vulnerability in WGS-80HPT-V2 and WGS-4215-8T2S that allows unauthenticated attackers to execute OS commands on the host system.
- CVE-2025-46273 (CVSS score 9.3): Hard-coded credentials in UNI-NMS-Lite that allow unauthenticated attackers to gain administrative privileges to all UNI-NMS managed devices.
- CVE-2025-46274 (CVSS score 9.3): Hard-coded credentials in UNI-NMS-Lite that allow unauthenticated attackers to read, manipulate, and create entries in the managed database.
- CVE-2025-46275 (CVSS score 9.3): Missing authentication for critical function in WGS-80HPT-V2 and WGS-4215-8T2S that allows attackers to create administrator accounts without knowing existing credentials.
Successful exploitation of these vulnerabilities could enable attackers to read or manipulate device data, gain administrative privileges, or alter database entries, potentially leading to complete compromise of affected systems.
Planet Technology has released patches for the affected devices. CISA also recommends users implement minimizing network exposure for all control system devices and systems, ensuring they are not accessible from the internet, placing control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use VPNs.
