We detect you are using an unsupported browser. For the best experience, please visit the site using Chrome, Firefox, Safari, or Edge. X
Maximize Your Experience: Reap the Personalized Advantages by Completing Your Profile to Its Fullest. Update Here
Stay in the loop with the latest from Microchip. Update your profile while you are at it. Update Here
Complete your profile to access more resources. Update Here
Cross-reference search

PSIRT-123: IStaX Privilege Escalation via Weak Cookie Authentication

Vulnerability Details

Date of Disclosure: 04/14/2026

Affected Product:  IStaX (VSC6817)

  • Vulnerability Type: Privilege escalation
  • CVE Identifier: CVE-2026-2336
  • CVSS Score:  8.7 
  • Vulnerability Description:
    • The web management interface uses a webstax_auth cookie design that allows a low-privileged authenticated user to recover a shared per-device secret from their own session cookie and forge a new cookie with administrative privileges
  • Affected Versions: 
    •  Versions prior to 2026.03
  • Vulnerability Status: 
    • Resolved in version 2026.03

Risk Assessment

Successful exploitation can grant full administrator access to the device web interface without following the normal login flow, reducing audit visibility and allowing unauthorized configuration changes or service disruption.

Mitigation

Upgrade IStaX to version 2026.03 or later

Patch/Release Information

Version 2026.03 updates the authentication cookie handling so low-privileged users can no longer derive a reusable shared secret and forge higher-privilege cookies.

Acknowledgements

Reported by Rickard Jonsson

Recommendations

It is strongly recommended that all customers upgrade affected IStaX deployments to version 2026.03 or later.

Live Chat

Need Help?

Privacy Policy