Immediate Updates
Upgrade to 3.4.8 and later where possible.
HIGH Vulnerability
VAPT-2026-00002 | Internet-exposed router management plane
Public case record following the coordinated disclosure of exposed administrative router surfaces and their remediation window.
Case Overview
Case ReferenceVAPT-2026-00002
AuthorSentinel Research Collective
Researcher(s)
Sentinel Research CollectiveVAPT Research Desk
CVE(s)
ProductEdge Controller 3.x
Version3.0.0 through 3.4.7
Recommendation
Upgrade to 3.4.8 and later where possible.
Workaround
Upgrade or rebuild toward 3.4.8 and later.
Status
Published
Last ModifiedApr 10, 2026, 13:43 UTC
Summary
Public case record following the coordinated disclosure of exposed administrative router surfaces and their remediation window.
Affected Scope
How Attackers Can Misuse This
- Internet-facing management panels materially increased the likelihood of credential attacks, privileged reconfiguration, and operational disruption in affected deployments.
Root Cause
The exposed listener accepted privileged management requests from public networks and did not consistently enforce MFA or origin restrictions in legacy deployments.
record: VAPT-2026-00002
severity: HIGH
product: Edge Controller 3.x
target_versions: 3.0.0 through 3.4.7
linked_cves: CVE-2026-11801
cvss_vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:LWhat You Can Do
Treat as Compromised
Treat exposed management surfaces and previously issued credentials as potentially compromised.
Rotate Credentials
Rotate affected secrets, tokens, and privileged service credentials after remediation is applied.
Threat Hunting
Move management access behind trusted channels, enforce MFA, rotate exposed credentials, and apply the fixed policy bundle that disables public exposure by default.
Tools
No downloadable tools or authenticated evidence packages are attached to this case.
What We Are Doing
VAPT Edge Controller case is currently marked published, with patch status reported as available. VAPT continues to keep the public lifecycle aligned with coordinated disclosure milestones and remediation visibility.
Timeline
| Date | Description |
|---|---|
| Jan 29, 2026 | Disclosure submitted Initial evidence package reached VAPT and triggered coordinated outreach. |
| Feb 4, 2026 | Vendor confirmation Affected operators confirmed the inherited management exposure pattern. |
| Feb 18, 2026 | Public release Advisory, CVE record, and public case archive were published after remediation guidance was finalized. |
More Information
Exposure confirmation notes
Redacted summary of public management-plane exposure validation.
Hardening checklist
Operator-facing remediation checklist for management-plane lockdown.