CVE-2026-9758: Improper Certificate Validation in S2OPC
Improper comparison with the certificates trusted list in S2OPC allows an attacker well-formed untrusted certificate to be considered trusted
Metrics
- CVSS v3.1
- 7.3
- Severity
- HIGH
- Fixed in
- 1.7.3
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Improper certificate validation in Systerel S2OPC (versions 1.5.0 through below 1.7.3) allows a network-accessible attacker to present a well-formed but untrusted certificate that the server incorrectly accepts as trusted. No authentication or user interaction is needed to exploit this flaw, since the bypass occurs during the TLS/OPC UA handshake itself. Successful exploitation gives the attacker read, write, and disruption access to resources protected by that certificate trust boundary. A patched-image rebuild at version 1.7.3 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle S2OPC. Images running S2OPC versions 1.5.0 through 1.7.2 are flagged automatically.
AvailableHarborGuard scores this CVE at CVSS 7.3 (High) and weights it against each environment's compliance policy to determine urgency and routing. Findings are delivered to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailableA patched-image rebuild at S2OPC 1.7.3 becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the S2OPC service over the network; the vulnerability is exposed on any network-accessible endpoint running an affected version.
- AuthenticationNot required
No credentials are needed; the certificate substitution occurs before any authenticated session is established.
- Victim interactionNot required
No user or operator action is required; the attacker initiates the connection and the bypass is handled entirely by the server.
- Attack complexityDetail
Attack complexity is low; the exploit requires only a well-formed certificate and no race conditions, memory layout knowledge, or special environmental conditions.
Blast Radius
- An attacker accepted as a trusted peer can read data exposed on the OPC UA session, including sensor readings, process values, and any application-layer telemetry the server exposes.
- The attacker can write values or issue commands permitted to the impersonated certificate identity, potentially modifying control-system state or configuration.
- The attacker can send malformed or high-volume requests that disrupt service availability for legitimate clients connected to the same endpoint.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE ingestion for any image containing S2OPC 1.5.0 through 1.7.2, including custom-built images. A rebuilt image at version 1.7.3 is made available automatically once the affected image is identified. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression test run against the patched image, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy requires manual approval, the rebuilt image and a populated findings report are staged and ready for reviewer action without any additional setup.
Fix available
- Systerel / S2OPC< 1.7.3 (from 1.5.0)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L