Full Report
CERT Polska has received a report about 2 vulnerabilities (CVE-2026-46458 and CVE-2026-46459) found in ICU Scandinavia Boomerang software.
Analysis Summary
# Vulnerability: Information Disclosure and Missing Authorization in ICU Scandinavia Boomerang
## CVE Details
- **CVE ID:** CVE-2026-46458, CVE-2026-46459
- **CVSS Score:** Not explicitly provided in the source (Typically High/Critical for credential exposure and unauthorized DB writes)
- **CWE:**
- CWE-522 (Insufficiently Protected Credentials)
- CWE-862 (Missing Authorization)
## Affected Systems
- **Products:** ICU Scandinavia Boomerang
- **Versions:** All versions prior to 2.4.18.029
- **Configurations:** Systems where the web interface and device receiver endpoints are accessible via the network.
## Vulnerability Description
The Boomerang software is affected by two distinct security flaws:
1. **CVE-2026-46458:** The application exposes sensitive XML configuration files via static HTTP within the webroot. These files contain plaintext credentials for service accounts and SMTP servers.
2. **CVE-2026-46459:** The device receiver endpoints lack proper authentication mechanisms. This allows an attacker to interact with the facility configuration and the sensor database.
## Exploitation
- **Status:** Not reported as exploited in the wild (Reported via Coordinated Vulnerability Disclosure).
- **Complexity:** Low (Requires simple HTTP requests to known paths/endpoints).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Exposure of plaintext service/SMTP credentials and full facility configurations).
- **Integrity:** High (Unauthorized actors can write data to the sensor database).
- **Availability:** Not explicitly specified, but unauthorized database writes could potentially lead to data corruption.
## Remediation
### Patches
- **Update to version 2.4.18.029** or higher. This version addresses both the credential exposure and the missing authentication on receiver endpoints.
### Workarounds
- **Network Segmentation:** Restrict access to the Boomerang webroot and receiver endpoints to authorized IP addresses only.
- **Access Control:** Implement external authentication (e.g., VPN or Reverse Proxy with authentication) if the software cannot be updated immediately.
## Detection
- **Indicators of Compromise:** Unusual HTTP GET requests for XML files in the webroot; unexpected entries or modifications in the sensor database originated from unknown IP addresses.
- **Detection methods:** Review web server access logs for requests targeting configuration files or device receiver endpoints from unauthorized sources.
## References
- CERT Polska Advisory: hxxps[://]cert[.]pl/en/posts/2026/07/vulnerabilities-in-icu-scandinavia-boomerang-software/
- CVE-2026-46458: hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-46458
- CVE-2026-46459: hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-46459