Atop EHG2408 Industrial Switch RCE Hits CVSS 9.3

A critical stack-based buffer overflow in Atop Technologies' EHG2408 series industrial switches allows unauthenticated remote attackers to hijack device execution flow and run arbitrary code. CVE-2026-3823 scores 9.3 under CVSS 4.0 and 8.8 under CVSS 3.1—both in the critical-to-high severity range.

Taiwan's CERT published advisories in both Chinese and English following coordinated disclosure. All EHG2408 firmware versions before 3.36 are affected.

Attack Surface and Impact

The EHG2408 series comprises 8-port gigabit managed switches designed for industrial automation, manufacturing floors, and harsh operational environments. These devices handle network traffic between programmable logic controllers, sensors, human-machine interfaces, and supervisory control systems.

The buffer overflow requires no authentication and no user interaction. An attacker with network access to the switch's management interface can send specially crafted packets that overflow a stack buffer, overwrite the return address, and redirect execution to attacker-controlled code. From there, complete device compromise follows.

In industrial networks, owned switches give attackers:

• Packet sniffing capabilities for credential theft and process data collection
• Man-in-the-middle positioning to manipulate control traffic
• Pivot points for lateral movement to connected OT devices
• The ability to disrupt network segmentation controls

Remediation Steps

Atop Technologies released firmware version 3.36 to address the vulnerability. Operators should:

1. Inventory affected devices - The EHG2408 series includes multiple SKUs (EHG2408, EHG2408-2SFP, etc.)
2. Download firmware 3.36 from Atop's support portal
3. Schedule maintenance windows for firmware updates
4. Restrict management access via ACLs until patching is complete
5. Monitor for exploitation attempts targeting the switch management interface

Organizations unable to patch immediately should implement strict network segmentation, ensuring management interfaces are only reachable from dedicated management VLANs with limited authorized hosts.

Industrial Network Equipment Under Siege

This vulnerability lands amid heightened attention on OT network infrastructure security. The zlib buffer overflow vulnerability disclosed recently affects embedded systems across multiple vendors, illustrating how foundational library flaws ripple through industrial supply chains.

We've also seen CISA mandate edge device replacement for federal agencies, recognizing that aging network equipment poses unacceptable risk. Industrial switches often run for years without firmware updates—an operational reality that vulnerability disclosures like CVE-2026-3823 force organizations to confront.

Atop Technologies equipment is particularly common in Southeast Asian and European manufacturing environments. Organizations using ProfiNet, EtherNet/IP, or Modbus TCP protocols should audit their switch infrastructure for vulnerable Atop devices.

Why This Matters

Network switches sit at the foundation of industrial communications. Unlike endpoint vulnerabilities that affect individual workstations, a compromised switch impacts every device passing traffic through it. The EHG2408's industrial focus means the devices likely connect systems where availability directly impacts physical processes.

Buffer overflows remain embarrassingly common in embedded systems. Vendors building industrial equipment often lack the security engineering maturity of enterprise IT vendors, yet their products protect critical infrastructure. Until that changes, defensive teams need to treat every ICS network device as a potential entry point and segment accordingly.