Overview
CVE ID: CVE-2026-8670
Severity: Critical
CVSS Score: 9.6
Affected Product(s): Avantra
Fixed Version(s): 25.3.1
Description
Insufficient session expiration vulnerability in syslink software AG Avantra on Linux, Windows allows Reusing Session IDs (aka Session Replay).This issue affects Avantra: before 25.3.1
Impact
Vector: Network
Confidentiality: High
Integrity: High
Availability: High
Exploitation Status: No known exploits in the wild
Solution & Mitigation
Primary Action: Upgrade to version 25.3.1 or above
-
Mitigation: If you are on 25.1.x or earlier: set Web.http-server = off via Administration → Settings → Avantra Master, and restart the Master.
If you are on 25.2.1 through 25.3.0: the Web.http-server toggle was removed in 25.2.1 and the fix is not yet present. You need to either firewall port 9058 externally, or redirect Web.http-port to a port that is already blocked by your external firewall. Restart the Master after the change.
If you are on 25.3.1 or above: no action is required.
References
Contact & Credits
Reported by: Special thanks to Vicxer Inc. for identifying this vulnerability and working with us to strengthen our platform’s security.
Support: support@avantra.com
We, at Avantra, take the security of our software and our customers very seriously and it is our top priority. We will keep you up to date as more information becomes available and encourage customers to subscribe to the security section of our forum to get proactive updates as we post them.