{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-40841", "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf", "state": "PUBLISHED", "assignerShortName": "ERIC", "dateReserved": "2025-04-16T08:59:01.744Z", "datePublished": "2026-03-25T13:07:53.229Z", "dateUpdated": "2026-03-25T13:44:45.962Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf", "shortName": "ERIC", "dateUpdated": "2026-03-25T13:17:23.852Z"}, "title": "Ericsson Indoor Connect 8855 - Cross-Site Request Forgery Vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-352", "description": "CWE-352 Cross-Site request forgery (CSRF)", "type": "CWE"}]}], "affected": [{"vendor": "Ericsson", "product": "Indoor Connect 8855", "versions": [{"status": "affected", "version": "0", "lessThan": "2025.Q3", "changes": [{"at": "2025.Q3", "status": "unaffected"}], "versionType": "custom"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Ericsson Indoor Connect 8855 versions prior to 2025.Q3\u00a0contains a\nCross-Site Request Forgery (CSRF) vulnerability which, if exploited, can lead\nto unauthorized modification of certain information.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a\nCross-Site Request Forgery (CSRF) vulnerability which, if exploited, can lead\nto unauthorized modification of certain information. "}]}], "references": [{"url": "https://www.ericsson.com/en/about-us/security/psirt/security-bulletin-indoorconnect-march-2026"}, {"url": "https://www.ericsson.com/en/about-us/security/psirt/CVE-2025-40841"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Telstra", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:44:36.014812Z", "id": "CVE-2025-40841", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:44:45.962Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-40841", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:44:36.014812Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:44:40.816Z"}}], "cna": {"title": "Ericsson Indoor Connect 8855 - Cross-Site Request Forgery Vulnerability", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Telstra"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Ericsson", "product": "Indoor Connect 8855", "versions": [{"status": "affected", "changes": [{"at": "2025.Q3", "status": "unaffected"}], "version": "0", "lessThan": "2025.Q3", "versionType": "custom"}], "defaultStatus": "affected"}], "references": [{"url": "https://www.ericsson.com/en/about-us/security/psirt/security-bulletin-indoorconnect-march-2026"}, {"url": "https://www.ericsson.com/en/about-us/security/psirt/CVE-2025-40841"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Ericsson Indoor Connect 8855 versions prior to 2025.Q3\u00a0contains a\nCross-Site Request Forgery (CSRF) vulnerability which, if exploited, can lead\nto unauthorized modification of certain information.", "supportingMedia": [{"type": "text/html", "value": "Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a\nCross-Site Request Forgery (CSRF) vulnerability which, if exploited, can lead\nto unauthorized modification of certain information. ", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site request forgery (CSRF)"}]}], "providerMetadata": {"orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf", "shortName": "ERIC", "dateUpdated": "2026-03-25T13:17:23.852Z"}}}, "cveMetadata": {"cveId": "CVE-2025-40841", "state": "PUBLISHED", "dateUpdated": "2026-03-25T13:44:45.962Z", "dateReserved": "2025-04-16T08:59:01.744Z", "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf", "datePublished": "2026-03-25T13:07:53.229Z", "assignerShortName": "ERIC"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ericsson:indoor_connect_8855_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "37C4F98B-D38A-47A6-B294-23A5E6291A81", "versionEndExcluding": "2025.q3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ericsson:indoor_connect_8855:-:*:*:*:*:*:*:*", "matchCriteriaId": "3B0C1261-B15A-4D91-AC65-9834D16A94F1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Ericsson Indoor Connect 8855 versions prior to 2025.Q3\u00a0contains a\nCross-Site Request Forgery (CSRF) vulnerability which, if exploited, can lead\nto unauthorized modification of certain information."}, {"lang": "es", "value": "Las versiones de Ericsson Indoor Connect 8855 anteriores a 2025.Q3 contienen una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) que, si se explota, puede conducir a la modificaci\u00f3n no autorizada de cierta informaci\u00f3n."}], "id": "CVE-2025-40841", "lastModified": "2026-03-27T18:29:38.210", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf", "type": "Secondary"}]}, "published": "2026-03-25T14:16:30.403", "references": [{"source": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf", "tags": ["Vendor Advisory"], "url": "https://www.ericsson.com/en/about-us/security/psirt/CVE-2025-40841"}, {"source": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf", "tags": ["Vendor Advisory"], "url": "https://www.ericsson.com/en/about-us/security/psirt/security-bulletin-indoorconnect-march-2026"}], "sourceIdentifier": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2025.Q3)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[2025.Q3,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Indoor Connect 8855", "source": "cna", "vendor": "Ericsson"}, "product": "indoor_connect_8855", "vendor": "ericsson"}], "analysis": {"en": {"generated_at": "2026-03-27T21:22:48.103600+00:00", "value": {"mitigation_remediation": ["Apply the latest firmware update (2025.Q3 or newer) available from Ericsson to the Indoor Connect\u202f8855."], "summary": {"action": "Apply Patch", "impact": "Unauthorized modification of configuration via CSRF"}, "threat_synthesis": {"affected_systems": "Ericsson Indoor Connect\u202f8855 devices running firmware versions released prior to the 2025.Q3 update are affected. All builds before that firmware release contain the flaw, regardless of specific build number. Users should consult the Ericsson PSIRT references to determine the firmware build on their device.", "description_and_impact": "A Cross\u2011Site Request Forgery flaw permits an attacker to cause an authenticated user to submit a forged request to the device, potentially altering configuration settings. This weakness is identified as CWE\u2011352 and compromises the integrity of the system; it does not lead to remote code execution or denial of service.", "risk_and_exploitability": "The CVSS score of 5.1 indicates moderate severity, while the EPSS score of less than 1\u202f% suggests a low likelihood of exploitation at present. The vulnerability is not listed in CISA\u2019s KEV catalog. The most likely attack vector involves an attacker tricking an authenticated user into visiting a malicious page or clicking a crafted link that, when rendered by the user\u2019s browser, submits a forged request to the device. Based on the description, it is inferred that the attacker needs an authenticated session to succeed; no remote exploitation is described."}}}}, "created": "2026-03-25T21:31:16.390735+00:00", "updated": "2026-03-29T20:28:28.227512+00:00", "vendors": ["ericsson", "ericsson$PRODUCT$indoor_connect_8855"]}