Missing Support for HTTPS in Kerlink Gateways
Missing Support for HTTPS in Kerlink Gateways
Missing Support for HTTPS in Kerlink Gateways
| CVE ID | CVE-2024-32384 |
| CVE Link | https://nvd.nist.gov/vuln/detail/CVE-2024-32384 |
| Vendor | Kerlink |
| Affected Product & Version | KerOS < 5.10 |
| Vulnerability Type | CWE-319: Cleartext Transmission of Sensitive Information |
| CVSS Base Score / CVSS Vector | NVD: Waiting for Analysis BDO: 6.8 Medium / |
| Author | Manfred Heinz |
| Date | 2025-11-21 |
CVE Details
Description:
Kerlink gateways running KerOS prior to version 5.10 expose their web interface exclusively over HTTP, without HTTPS support. This lack of transport layer security allows a man-in-the-middle attacker to intercept and modify traffic between the client and the device.
Remediation:
Access via HTTPS is available from KerOS 5.10. The KerOS Wiki provides instructions on how to enable HTTPS; see references below.
References:
- https://keros.docs.kerlink.com/security/security_advisories_kerOS5
- https://wikikerlink.fr/wirnet-productline/doku.php?id=wiki:resources:sw_history#keros_firmware_v5120_november_2025
- https://wikikerlink.fr/wirnet-productline/doku.php?id=wiki:systeme_mana:webui&s[]=enable&s[]=https#https_web_interface
Timeline
2024-03-19: Vulnerability reported to Kerlink
2024-03-23: Kerlink informed us that the issues were under analysis
2024-03-29: Vendor confirmed the vulnerabilities and provided an update on the current status of the analysis, including potential fixes
2024-04-08: We provided feedback on the potential fixes
2024-04-28: Vendor provided an update on the status of the potential fixes
2024-06-11: We reported additional vulnerabilities; ongoing communication regarding these issues
2025-08-05: Informed Kerlink of our intention to release the CVEs
2025-11-06: Vendor released an update
2025-11-21: CVE published