Predictable SNMP Community String in KerOS 4.3.3 and Below
Predictable SNMP Community String in KerOS 4.3.3 and Below
Predictable SNMP Community String in KerOS 4.3.3 and Below
| CVE ID | CVE-2024-32387 |
| CVE Link | https://nvd.nist.gov/vuln/detail/CVE-2024-32387 |
| Vendor | Kerlink |
| Affected Product & Version | KerOS ≤ 4.3.3 |
| Vulnerability Type | CWE-330 – Use of Insufficiently Random Values |
| CVSS Base Score / CVSS Vector | NVD: Awaiting analysis BDO: 5.7 Medium / CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
| Author | Martin Weißbach |
| Date | 2026-05-27 |
CVE Details
Description:
The SNMP implementation in KerOS 4.3.3 and below uses a predictable SNMP community string derived from hardware-dependent information. In combination with an additional information disclosure vulnerability, an attacker may recover the community string with a low number of brute-force attempts.
Remediation:
KerOS4 and KerOS5 should no longer be used, as they are considered end of life. Instead, the most recent version of KerOS 6 should be used.
References:
Timeline
2024-03-19: Vulnerability reported to Kerlink
2024-03-23: Kerlink informed us that the issues were under analysis
2024-03-29: Vendor confirmed the vulnerabilities and provided an update on the current status of the analysis, including potential fixes
2024-04-08: We provided feedback on the fixes
2024-04-28: Vendor provided an update on the status of the fixes
2024-06-11: We reported additional vulnerabilities; ongoing communication regarding these issues
2025-08-05: We informed Kerlink of our intention to release the CVEs
2025-09-06: Vendor informed us that KerOS4 is EOL, KerOS will only be maintained for critical vulnerabilities tills end of 2025 and that this vulnerability does not affect KerOS6
2026-04-01: Coordinated public disclosure of this CVE was agreed upon with the vendor
2026-05-27: CVE published

