{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13926", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2025-12-02T21:00:14.794Z", "datePublished": "2026-04-09T19:47:17.841Z", "dateUpdated": "2026-04-10T14:11:21.320Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-04-09T19:47:17.841Z"}, "title": "Contemporary Controls BASC 20T Reliance on Untrusted Inputs in a Security Decision", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-807", "description": "CWE-807", "type": "CWE"}]}], "affected": [{"vendor": "Contemporary Controls", "product": "BASControl20", "versions": [{"status": "affected", "version": "3.1"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "An attacker could use data obtained by sniffing the network traffic to \nforge packets in order to make arbitrary requests to Contemporary \nControls BASC 20T.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "An attacker could use data obtained by sniffing the network traffic to \nforge packets in order to make arbitrary requests to Contemporary \nControls BASC 20T."}]}], "tags": ["unsupported-when-assigned"], "references": [{"url": "https://www.ccontrols.com/support/contacttech.htm"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-099-01"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-099-01.json"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "workarounds": [{"lang": "en", "value": "According to Contemporary Controls, the BASC-20T is an obsolete product. It is recommended that users of the affected product contact Contemporary Controls https://www.ccontrols.com/support/contacttech.htm for additional information.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "According to Contemporary Controls, the BASC-20T is an obsolete product. It is recommended that users of the affected product <a href=\"https://www.ccontrols.com/support/contacttech.htm\">contact Contemporary Controls</a> for additional information."}]}], "credits": [{"lang": "en", "value": "Joseph Fields of Naval Information Warfare Center Pacific reported this vulnerability to CISA.", "type": "finder"}], "source": {"advisory": "ICSA-26-099-01", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-807", "lang": "en", "description": "CWE-807 Reliance on Untrusted Inputs in a Security Decision"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T14:11:03.255285Z", "id": "CVE-2025-13926", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T14:11:21.320Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13926", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-10T14:11:03.255285Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-807", "description": "CWE-807 Reliance on Untrusted Inputs in a Security Decision"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T14:11:07.695Z"}}], "cna": {"tags": ["unsupported-when-assigned"], "title": "Contemporary Controls BASC 20T Reliance on Untrusted Inputs in a Security Decision", "source": {"advisory": "ICSA-26-099-01", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Joseph Fields of Naval Information Warfare Center Pacific reported this vulnerability to CISA."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Contemporary Controls", "product": "BASControl20", "versions": [{"status": "affected", "version": "3.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.ccontrols.com/support/contacttech.htm"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-099-01"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-099-01.json"}], "workarounds": [{"lang": "en", "value": "According to Contemporary Controls, the BASC-20T is an obsolete product. It is recommended that users of the affected product contact Contemporary Controls https://www.ccontrols.com/support/contacttech.htm for additional information.", "supportingMedia": [{"type": "text/html", "value": "According to Contemporary Controls, the BASC-20T is an obsolete product. It is recommended that users of the affected product <a href=\"https://www.ccontrols.com/support/contacttech.htm\">contact Contemporary Controls</a> for additional information.", "base64": false}]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "An attacker could use data obtained by sniffing the network traffic to \nforge packets in order to make arbitrary requests to Contemporary \nControls BASC 20T.", "supportingMedia": [{"type": "text/html", "value": "An attacker could use data obtained by sniffing the network traffic to \nforge packets in order to make arbitrary requests to Contemporary \nControls BASC 20T.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-807", "description": "CWE-807"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-04-09T19:47:17.841Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13926", "state": "PUBLISHED", "dateUpdated": "2026-04-10T14:11:21.320Z", "dateReserved": "2025-12-02T21:00:14.794Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2026-04-09T19:47:17.841Z", "assignerShortName": "icscert"}, "dataVersion": "5.2"}

{"cveTags": [{"sourceIdentifier": "ics-cert@hq.dhs.gov", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "An attacker could use data obtained by sniffing the network traffic to \nforge packets in order to make arbitrary requests to Contemporary \nControls BASC 20T."}], "id": "CVE-2025-13926", "lastModified": "2026-04-10T15:16:22.513", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2026-04-09T20:16:23.807", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-099-01.json"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.ccontrols.com/support/contacttech.htm"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-099-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-807"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-807"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "BASControl20", "source": "cna", "vendor": "Contemporary Controls"}, "product": "bascontrol20", "vendor": "contemporary_controls"}], "analysis": {"en": {"generated_at": "2026-04-09T21:50:27.354741+00:00", "value": {"mitigation_remediation": ["Contact Contemporary Controls for guidance and support regarding the BASC\u201120T vulnerability.", "Isolate or disconnect the BASC\u201120T controller from untrusted or external networks until a response is received.", "Deploy network monitoring to detect forged or anomalous traffic targeting the controller.", "Plan to replace the obsolete BASC\u201120T with a supported, secure alternative product."], "summary": {"action": "Apply Workaround", "impact": "Remote Impersonation or Configuration Manipulation"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to the Contemporary Controls BASC 20T (BASControl20) controller used in industrial automation. The product is marked as obsolete and the advisory does not list specific firmware or hardware revisions; users must identify if their installations include this model and confirm the exact revision in use.", "description_and_impact": "Contemporary Controls BASC 20T allows an attacker who can observe traffic to forge packets that the device will treat as legitimate requests. Because the system relies on untrusted network input for security decisions, these forged requests can lead to unauthorized commands or configuration changes on the controller, potentially compromising the confidentiality, integrity, and availability of the industrial control system.", "risk_and_exploitability": "With a CVSS base score of 9.3 the issue is classified as critical. EPSS information is unavailable and the vulnerability is not listed in the CISA KEV catalog. Exploitation likely requires remote network access to capture legitimate traffic and then resend crafted packets to the controller, making it a remote attack that can have severe operational impacts."}}}}, "created": "2026-04-10T08:38:41.060257+00:00", "updated": "2026-04-10T09:29:24.205741+00:00", "vendors": ["contemporary_controls", "contemporary_controls$PRODUCT$bascontrol20"]}