Digi Security Center - Alerts and Notifications

Alert - Security Advisory: CVE-2026-32746 (March 24th 2026)

Tue, 24 Mar 2026 13:00:00 GMT

On March 12, 2026, a critical vulnerability affecting GNU Inetutils telnetd was publicly disclosed (CVE-2026-32746). The issue has been reported as a pre-authentication remote code execution vulnerability with a CVSS severity score of 9.8. For more information, please see the attached security advisory.

Alert - Security Advisory Update: React Server Components Vulnerability (December 11 2025)

Thu, 11 Dec 2025 13:00:00 GMT

Update to our Security Advisory that was posted on December 9, 2025. On December 11, 2025, three new vulnerabilities were disclosed involving React Server Components (CVE-2025-55184, CVE-2025-67779, and CVE-2025-55183). The issue has been classified as a Denial of Service and Source Code Exposure, respectively.

Digi International confirmed potential impact across our product and service portfolio (confirmed as low) and immediately patched affected systems. Our internal security processes remain fully engaged, and our teams have verified all components that rely on React. Because we maintain regular update and patch cycles across our systems, our exposure to this vulnerability is minimal.

Alert - Security Advisory: React Server Components / Next.js Vulnerability (December 2025)

Tue, 09 Dec 2025 13:00:00 GMT

On December 3, 2025, a critical industry-wide vulnerability was disclosed involving React Server Components (RSC) and certain versions of Next.js (CVE-2025-55182 / CVE-2025-66478). The issue has been classified as a Remote Code Execution (RCE) vulnerability with the highest severity rating (CVSS 10.0). This vulnerability exists in the underlying open-source components used across many modern web frameworks.

Digi International confirmed potential impact across our product and service portfolio (confirmed as low), and immediately patched affected systems. Our internal security processes remain fully engaged, and our teams have verified all components that rely on React or Next.js. Because we maintain regular update and patch cycles across our systems, our exposure to this vulnerability is minimal.

Alert - Improper authentication handling for Digi PortServer TS; Digi One SP, SP IA, IA; Digi One IAP

Mon, 12 May 2025 13:00:00 GMT

Digi International has identified a security vulnerability affecting all versions of these products running firmware with release dates prior to 2025:

PortServer TS
Digi One SP/Digi One SP IA/Digi One IA
Digi One IAP

We are committed to the security and integrity of our products and the safety of our customers. Upon discovery of this issue, ourengineering team initiated a full investigation and has developed a fix to address the vulnerability.

Alert - Security fix has been released for ConnectPort LTS

Thu, 31 Oct 2024 13:00:00 GMT

A set of security fixes for improving how requests are handled in the web interface for the Digi ConnectPort LTS has been published and is ready for download at the following link: "https://hub.digi.com/support/products/infrastructure-management/digi-connectport-lts-8-16-32-terminal-server/?path=/support/asset/connectport-lts-eos-firmware".

Customers who cannot update firmware should disable the ConnectPort LTS unit web page until they are able to schedule an update.

The commands for disabling and re-enabling the web service from the command line as follows:

#> set service ra=10,11 state=off

to re-enable the web service:

#> set service ra=10,11 state=on

Alert - Security fix has been released for WR11, WR21, WR31, WR44R, WR44RR

Mon, 08 Jul 2024 13:00:00 GMT

A security fix has been released for WR11, WR21, WR31, WR44R, WR44RR Version 8.6.0.4 to patch the SSH entity to initialize an uninitialized variable, preventing the completion of an unauthenticated SSH sessions from starting after the first SSH session was established. Please download the latest firmware from our support site or via Digi Remote Manager

Alert - Terrapin Attack - SSH Vulnerability

Thu, 07 Mar 2024 13:00:00 GMT

Dear valued customers, we want to inform you about a recently discovered Common Vulnerabilities and Exposures (CVE) affecting some of our devices. For more information and recommended actions, please visit the following link. We appreciate your attention to this matter and thank you for your continued trust in our services.

Alert - RealPort CVEs

Fri, 25 Aug 2023 13:00:00 GMT

The attached document includes vulnerability findings from a report that Dragos submitted. These are CVEs that Dragos reported to us, Digi International. Included is a table of Digi International products that were reported as vulnerable by Dragos.

Alert - Ripple20 Public Disclosure

Thu, 20 Jul 2023 13:00:00 GMT

Digi International has recently become aware that CVE-2020-11901 is still impacting our NDS and NET+OS product lines, which were part of Ripple20 vulnerabilities. Digi has found that it is appropriate to patch the vulnerability. Please see our knowledge-based article for the patch releases related to this vulnerability.

Our development team has already developed a patch for this vulnerability and we strongly recommend that you apply the update as soon as possible to ensure the security of your device.

We take the security of our products very seriously and apologize for any inconvenience this may cause. If you have any questions or concerns, please do not hesitate to contact our support team.

Alert - Following up with Digi's previous announcement of WiFi Frag Attack.

Mon, 05 Dec 2022 13:00:00 GMT

Here is the link to our knowledge-based article that goes into detail on WiFi Frag Attack
Frag Attack Security Information

Alert - Security Update for OpenSSL Critical CVE’s: CVE-2022-3786 and CVE-2022-3602

Wed, 09 Nov 2022 13:00:00 GMT

Digi International is looking into the new Critical OpenSSL vulnerabilities, CVE-2022-3786, and CVE-2022-3602.

Currently, the EX50 and TX64 devices are vulnerable to CVE-2022-3786 and CVE-2022-3602. All other Digi Accelerated Linux (DAL) products are not affected. The EX50 and TX64 firmware will be updated to mitigate these vulnerabilities within the next patch release.

Digi Embedded Yocto version 4.0-r1 is currently vulnerable to CVE-2022-3786 and CVE-2022-3602 and will be updated to mitigate those vulnerabilities within the next patch release. All other versions of DEY are not affected.

Other OpenSSL libraries are also being looked at as well. The libraries found not up to date will also receive patches.

Any further questions…… we will address to further alleviate those concerns

Alert - In regards to California SB-327 and CISA advisory 22-216-01 with respect to the Digi Connect Port X devices manufactured prior to 1-1-2020

Thu, 11 Aug 2022 13:00:00 GMT

Digi International recommends that using the Connect Port X devices manufactured before 1-1-2020 to change the default password for the root user to a custom value on the device.

Alert - The Digi Security Vulnerability submission process has changed

Fri, 08 Jul 2022 13:00:00 GMT

You can submit vulnerabilities in the top right-hand corner by filling out Bugcrowd’s form. We encourage the researchers or customers to provide an email to better directly communicate with you. Please re-submit any vulnerability that in the last 90 days was sent to security@digi.com and we did not respond to you. We appreciate your continued service to make Digi International Inc. products stay secure.

Alert - Software validation hashes are now part of release notes

Fri, 24 Jun 2022 13:00:00 GMT

Visit the Digi support site and find your product

Alert - CVE-2022-22963 and CVE-2022-22965 Do Not Impact Digi Branded Products

Tue, 19 Apr 2022 13:00:00 GMT

After further due diligence Digi branded products are not vulnerable to either CVE-2022-22963 nor CVE-2022-22965 (Spring4Shell).

Alert - Digi Passport Firmware Update

Fri, 08 Apr 2022 13:00:00 GMT

A security fix for improving how requests are handled in the web interface has been published and is ready for download at the following link: https://hub.digi.com/support/products/infrastructure-management/digi-passport/?path=/support/asset/-digi-passport-1.5.2-firmware/

Alert - Spring4Shell Vulnerability (CVE-2022-22963)

Thu, 31 Mar 2022 13:00:00 GMT

Digi is currently investigating the impact throughout our product lines. Updates will be posted here.

Alert - OpenSSL infinite loop in BN_mod_sqrt() (CVE-2022-0778)

Tue, 29 Mar 2022 13:00:00 GMT

Digi is currently investigating the impact throughout our product lines. Updates will be posted here.

Alert - We have identified that the following four of our products have vulnerable versions related to log4j vulnerabilities CVE-2021-44228, and CVE-2021-45046

Thu, 23 Dec 2021 13:00:00 GMT

Note that these products are not vulnerable to the latest log4j vulnerability cited on CVE-2021-45105, and the latest installers below bring log4j up to 2.16. We have provided the direct links that patch the mentioned CVE's next to each product below.

Smart IOmux: Smart IOmux

Digi XCTU: XCTU

Digi XBee Multi Programmer: XBee Multi Programmer

Digi XBee Network Assistant: Digi XBee Network Assistant

We believe these vulnerabilities did not impose direct exploitation in our products because they are desktop applications run by individual users, and they are not accessible through the Internet or used through web services. The four products above are all of the affected products that we know of at this time. In the event we discover any further issues, we will update this page. For more information related to unaffected products, please review the post below dated December 14, 2021.

Alert - After a detailed investigation, Digi has determined Apache Log4j CVE-2021-44228 does not impact many of our products/product families. The unaffected products are listed below.

Tue, 14 Dec 2021 13:00:00 GMT

If you do not find a product, please note that we are continuing internal testing and will update the list below as soon as the results are known.

Devices not impacted by Apache Log4j CVE-2021:

CTEK G6200 family
CTEK SkyCloud
CTEK Z45 family
Digi 54xx family
Digi 63xx family
Digi AnywhereUSB (G2) family
Digi AnywhereUSB Plus family
Digi Connect family
Digi Connect EZ family
Digi Connect IT family
Digi ConnectPort family
Digi ConnectPort LTS family
Digi Connect Sensor family
Digi Connect WS family
Digi Embedded Android
Digi Embedded Yocto
Digi EX routers
Digi IX routers
Digi LR54
Digi One family
Digi Passport family
Digi PortServer TS family
Digi Rabbit Embedded Family
Digi TX routers
Digi WR11
Digi WR21
Digi WR31
Digi WR44R/RR
Digi WR54
Digi WR64

Software/Management Platforms:

AnywhereUSB Manager
Aview
ARMT
AVWOB
Digi Navigator
Digi Remote Manager
Digi Xbee mobile app
Dynamic C
Lighthouse
Realport
Remote Hub Config Utility

Alert - Apache Log4j CVE-2021-44228 vulnerability

Mon, 13 Dec 2021 13:00:00 GMT

Digi is currently investigating the impact throughout our product line. We currently have not discovered any impact at this time. We will continue to work diligently, and update as soon as we come to a conclusion across the organization.

Alert - FragAttacks - WiFi Fregmentation and Aggregation Attacks

Mon, 14 Jun 2021 13:00:00 GMT

At this time, Digi is still reviewing these attacks and how they impact our devices. From the nature of the attacks, we do expect that Digi devices will be impacted.

However, it is critical to note that even with these attacks, it has always been DIgi's policy and suggestions that network communication should never rely on the protections and standards of the data layers (WiFi/BlueTooth). Many of these are implemented in HW and can be difficult to change. If good network practices are used, (TLS/Certificates etc), then these vulnerabilities do not lead to any real impact. These vulnerabilites can only become impactful IF other flaws or issues are present.

It is Digi's intent to address these issues so that we preserve our defense in depth strategy to security in our products. Due to the complexity of these issues, we believe we will be able to address these by Q4 of 2021 or sooner if possible.

Alert - AMNESIA:33 - VU#815128 - Multiple TCP/IP stacks used in Internet of Things (IoT have several vulnerabilities stemming from improper memory management.

Wed, 09 Dec 2020 13:00:00 GMT

Digi International has never manufactured any products that could be impacted by the AMNESIA:33 vulnerabilities. There is no action required by any of our customers.

Alert - Digi International released software validation hashes

Wed, 30 Sep 2020 13:00:00 GMT

This document will provide file cryptographic hashes to validate that the software received is the software that Digi has officially provided. These Human validation methods are required for CIP-010-3 R1 Part 1.6 and for other good security practices prior to rolling out critical software or firmware for the enterprise.
Download

Alert - RIPPLE20 - Multiple vulnerabilities in TRECK TCP/IP embedded software - VU#257161

Tue, 16 Jun 2020 13:00:00 GMT

A number of high level vulnerabilities (CVE's) that affect the TCP/IP internal stack processing have been identified. Digi has been working with customers since February to install firmware updates to address the issue. Under specific circumstances, it may be possible that these vulnerabilities could lead to a remote code execution via a network based attack without authentication.

CVSSv3.1 Score of 8.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Several Digi products have been identified as impacted, and we strongly recommend that you update your firmware immediately.

These products include:

Digi Connect® ME, Digi Connect® EM, Digi Connect® WME, Digi Connect® SP, and Digi Connect® ES; Digi Connect® 9C, Digi Connect® 9P;
Digi ConnectPort® TS, Digi ConnectPort® X2, Digi ConnectPort® X4;
Digi AnywhereUSB® (First and Second Gen, NOT Plus);
NetSilicon 7250, 9210, 9215, 9360, 9750;
Any products using the NET+OS 7.X development environments.

For more information, read the Digi Knowledge base article.

Alert - Reflection attack WR11,WR21,WR31,WR41,WR44 series routers - VU#636397 - CVE-2020-10136

Tue, 02 Jun 2020 13:00:00 GMT

A high level vulnerability (CVSS => 7.0) was discovered on the Digi WR11,WR21,WR31,WR41, and WR44 cellular routers. The attack allows IP-in-IP encapsulation to be used to route arbitrary network traffic through a vulnerable device.

Please download firmware V8.1.0.1 (or greater) for a fix for this issue. Alternatively, enabling the firewall feature on the devices WAN interface (or cellular interface) port will also mitigate this attack.

For more information on this vulnerability, please see the knowledge base article within the Digi support section

Alert - Randomization of Secure Session SRP ephemeral values

Mon, 16 Mar 2020 13:00:00 GMT

A vulnerability was discovered on Digi XBee 3 Zigbee and Digi XBee 3 802.15.4 firmwares where the ephemeral values used for Secure Session SRP authentication are not randomized unless BLE is enabled. This feature is typically used to secure networks against unauthorized remote configuration.

For more information, go to: https://www.digi.com/support/knowledge-base/xbee-3-%E2%80%93-secure-session-srp-randomization

Alert - Zigbee transport keys sent 'in the clear'

Thu, 05 Mar 2020 13:00:00 GMT

A vulnerability was discovered on earlier generation XBee ZigBee modules (S2B, S2C, and S2D) where a router that was previously associated with the network can be allowed back onto the secured network using an invalid preconfigured link key. After which, this node could inadvertently pass the network key "in the clear" to devices attempting to join through it.

For more information, go to: https://www.digi.com/support/knowledge-base/xbee-zigbee-keys-can-be-sent-in-the-clear

Alert - Digi ConnectPort LTS vulnerabilities - 1 unrestricted upload, and 3 stored cross site scripting vulnerabilities - ICS Advisory (ICSA-20-042-13)

Tue, 11 Feb 2020 13:00:00 GMT

Vulnerability researchers Murat Aydemir, and Fatih Kayran discovered the above vulnerabilities within the ConnectPort LTS web interface of the Digi ConnectPort LTS firmware. The suggested fix for these issues include an update of firmware to the latest release for your product. For the full US-CERT guidance, please see: https://www.us-cert.gov/ics/advisories/icsa-20-042-13

For firmware updates, go to: https://www.digi.com/support/supporttype?type=firmware

Alert - Followup SACK vulnerability knowledge base article

Fri, 19 Jul 2019 13:00:00 GMT

For a more detailed list of Digi devices impacted by the SACK vulnerability, see the following KB article, https://www.digi.com/support/knowledge-base/sack_vulnerability

Alert - "SACK" Vulnerability - (CVE-2019-11477, CVE-2019-11478, CVE-2019-5599 and CVE-2019-11479)

Tue, 25 Jun 2019 13:00:00 GMT

Digi Intl. is aware of four recent vulnerabilities known as the "SACK" vulnerabilites. We are currently reviewing impact and coordinating fixes within our known impacted products at this time. More information will be available next week on the timeline for fixes. It is critical to note that these vulnerabilities do NOT impact the confidentiality and Integrity of any Digi devices. All of these vulnerabilities are classified as "Denial of Service" issues. This means that it may be possible to kick a device off the network or reboot the device.

Alert - Digi LR54/WR64/WR54 CVE-2018-20162 Major Security Vulnerability – Restricted Shell escape

Tue, 19 Feb 2019 13:00:00 GMT

A vulnerability was discovered by Stig Palmquist in the above named routers. This vulnerability allows an individual with existing full-admin, command-line access, the ability to get a root shell on the device. This vulnerability is not remotely exploitable. We suggest customers upgrade to versions equal to or greater than 4.5.1. It is also noted that even with this vulnerability, many critical parts of the router are read-only, and installed code is protected by a secure boot process. More detail will be published in Digi’s Knowledge base on this issue.

Alert - libSSH Critical vulnerability : CVE-2018-10933

Wed, 24 Oct 2018 13:00:00 GMT

Digi is aware of a critical vulnerability in the libssh libraries. We have conducted an impact analysis to identify if any Digi products are affected. We believe at this time that NO Digi products are impacted by this vulnerability, as we do not use this library for features in our products. We will continue to monitor this situation, and will post more information if the status changes.

Alert - Spectre and Meltdown Vulnerabilities - (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754)

Fri, 05 Jan 2018 13:00:00 GMT

Digi is aware of the Spectre and Meltdown vulnerabilities that were recently released. These vulnerabilities impact the confidentiality of data running on Intel, AMD and ARM processors.

For Digi hardware products, we do not use Intel or AMD processors, and as a consequence the "Meltdown" vulnerability does not affect Digi hardware products.

For the Spectre vulnerability, Digi security teams are working to determine the practical impacts and patches on Digi hardware products that use ARM processors.

For Digi Remote Manager & Device Cloud, we are working with our providers to address Spectre and Meltdown.

Additional information will be provided as soon as it is available. For more information on these vulnerabilities, please see the website https://meltdownattack.com/

Please continue to check this space for updates, or subscribe to the RSS feed above.

Alert - Discovered vulnerabilities with TransPort WR Series cellular routers

Wed, 29 Nov 2017 13:00:00 GMT

Three vulnerabilities have been found by Kasperski Labs within the WR series transport routers. These vulnerabilities are rated from high to low. The impacted devices are the Digi TransPort WR11,WR21,WR41,WR44, and the WR31. This includes "R", and "RR" versions as well. Impacted vulnerable services are SNMP, FTP, and the command line interface. For more information on the discovered vulnerabilities, including patches, mitigations, and overall risk, please see the knowledge base article.

Alert - Blueborne Vulnerability

Mon, 30 Oct 2017 13:00:00 GMT

Digi is aware of the BlueBorne vulnerability related to the penetration of Bluetooth connections resulting in potentially unauthorized access to devices and/or data. BlueBorne affects ordinary computers, mobile phones, embedded devices, and other connected devices with Bluetooth connectivity. Please refer to https://www.armis.com/blueborne/ for detailed information about the vulnerability. For embedded products, we strongly recommend customers to review the available public information about the Blueborne vulnerability and apply mitigation approaches, including already available fixes in the community. We also intend to provide fixes/workaround for the related vulnerabilities as soon as possible. In the meantime, please contact us if you have any questions related to how this vulnerability may affect the Digi products/platforms you are using.

Alert - DNSmasq Network service (CVE-2017-14491)

Fri, 20 Oct 2017 13:00:00 GMT

We have evaluated the impact of this vulnerability on our devices, and have concluded that the Transport LR54 is the only Digi device effected. We have made available a patch for this vulnerability in firmware versions 3.1.0.4 and above. Please see the Digi support site for firmware releases for the LR54 product.

Alert - KRACK Attack

Mon, 16 Oct 2017 13:00:00 GMT

Digi is aware of a vulnerability within the defined Wi-Fi security protocol WPA2. This has been defined as the KRACK Attack. we have released new firmware for impacted products, For a full technical statement on affected products and workarounds, please see our knowledge base article.

Alert - Mirai Botnet Impact Investigations

Sun, 01 Oct 2017 13:00:00 GMT

At this time, we have reviewed this, and we are not aware of any of our devices that can be compromized by this Botnet. We are continuing to monitor this in case this changes in the future.

Alert - Evaluation of Security Vulnerability VU#561444

Wed, 03 May 2017 13:00:00 GMT

Expanded info on CVE-2014-9222, CVE-2014-9223
Many Digi products contain and use the RomPager by Allegrosoft web server technology. It has come to our attention that this embedded web server, which is used for management of our devices contains what we have defined as a critical vulnerability. We urge any customer who may have one of these products where the administrative webserver is available on non-secure networks to either upgrade the firmware to a patched version or to disable the web server for management of these devices.

Alert - Practical exploits to SHA1 hashing has now been discovered

Fri, 03 Mar 2017 13:00:00 GMT

Although we have been migrating our products use of SHA1 for the last few years, we are re-evaluating our products for any remaining SHA1 hash use. We anticipate that future releases will remove the SHA1 hash use, and move to the stronger SHA3, or SHA2 routines respectively.

Alert - OpenSSL - New Security Release 1.1.0c

Thu, 10 Nov 2016 13:00:00 GMT

We are still reviewing the impact of this on our devices. we believe that this will not have any impact for Digi, as we use the OpenSSL long term support (LTS) version of Openssl v1.0.2 in our products, and not v1.1.0.

Alert - Dirty COW - (CVE-2016-5195)

Fri, 21 Oct 2016 13:00:00 GMT

We are in the process of fully testing our products against this vulnerability. Currently, we have found a few devices that are slightly impacted. However, due to the product type, there is no way to effectively exploit the devices with this vulnerability.