CVE-2026-2624: Critical Authentication Bypass in Antikor NGFW Exposes Firewalls to Full Remote Takeover

Aegiron 10 mins0

CVE-2026-2624 — Antikor NGFW Authentication Bypass

CVE: CVE-2026-2624
Product: ePati Cyber Security Antikor Next Generation Firewall (NGFW)
Affected Versions: 2.0.1298 ≤ version < 2.0.1301
CVSS v3.1 Score: 9.8 (Critical)
Severity: Critical
Exploitability: Remote network exploitation without authentication or user interaction
Exploit Availability: No confirmed public proof-of-concept exploit is currently available
Official Patch / Upgrade Link: Use the vendor’s official update page for Antikor NGFW to obtain version 2.0.1301 or laterhttps://www.epati.com.tr/en/products/antikor-next-generation-firewall/

This vulnerability allows unauthenticated attackers to bypass the intended authentication checks on critical firewall management functionality. The affected NGFW versions do not require credentials to access certain administrative operations, exposing the device to full compromise if reachable over the network. The CVSS metrics reflect a high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges required.

Description of the Vulnerability

The root of CVE-2026-2624 is a missing authentication check on a sensitive management interface or API inside the Antikor NGFW. In a properly secured system, requests to change configuration, view sensitive status, or manage the firewall would require valid credentials and session tokens. In the affected releases, certain critical functions lack that enforcement, so when an attacker sends crafted requests to those endpoints, the firewall processes them as if they came from a legitimate admin session. This allows operations that should be protected — like altering rules, exporting configs, or disabling protections — without prior login.

Because firewalls serve as the first line of defense for networks, full administrative access effectively means an attacker can reshape network traffic flows, open tunnels to internal resources, or remove monitoring — actions that could lead to data breaches or prolonged undetected access.

How Exploitation Would Work

  • An attacker finds an exposed management interface on the NGFW (web UI port, API port, or other service).
  • The attacker sends requests directly to internal endpoints that should normally require authentication.
  • Because the authentication check is missing, the NGFW accepts the request and executes the privileged function.
  • Once inside, the attacker can make configuration changes, view or export sensitive information, and alter security controls.

There is no need for credentials, user interaction, or physical access. If the management interface is available from untrusted networks, an attacker can attempt exploitation over the network.

At the time of writing, no confirmed public proof-of-concept exploit code or detailed exploit steps have been published, but the nature of the flaw makes it straightforward for a skilled attacker to determine which admin functions lack authentication and to issue direct requests against them.

Potential Impacts if Exploited

If exploited successfully, the consequences are severe:

  • Administrative control without authorization
  • Modification or removal of firewall rules
  • Exfiltration of sensitive configuration and log data
  • Disabling of critical protections
  • Creation of backdoor administrative accounts
  • Network interception or redirection of traffic
  • Concealment of attacker activity by disabling logging

Because the firewall controls traffic flows and enforces policies, circumventing its protections undermines the entire network’s security posture.

Detection Strategies

Monitoring for attempts to exploit this vulnerability should focus on management interface access patterns, unauthorized administrative operations, and abnormal traffic against internal API endpoints. Use logs from the firewall and related network devices, as well as centralized SIEM correlation.

Log Sources to Monitor

  • Firewall management logs (web UI/API access, admin actions)
  • Configuration change logs (rule additions/deletions, user account changes)
  • Network session logs (unexpected admin protocol use from unknown IPs)
  • Proxy or reverse proxy logs if management interfaces are fronted by intermediate services

Detection Rules & Queries

Below are actionable example detection rules for common logging platforms and SIEMs:

Splunk

Detect unauthenticated access to admin endpoints with successful HTTP status

index=firewall_logs sourcetype=antikor_access
| where match(uri, "/(admin|api)/")
| where http_status=200 AND user="" 
| stats count by src_ip, uri, http_status
| sort -count

This query highlights requests to admin or API paths that return success but lack an authenticated user session.

Elastic (KQL)

Flag direct access to admin paths without a session

event.dataset:antikor.access AND 
(url.path : "*admin*" OR url.path : "*api*") AND 
http.response.status_code : 200 AND 
user.name : ""

It isolates access to administrative routes where no authenticated user was present.

Generic SIEM Correlation (Pseudo-SQL)

FROM firewall_access_logs AS a
JOIN config_change_logs AS c
ON a.session_id = c.session_id
WHERE a.user = "" AND c.action IN ("rule_change","user_add","config_export")

Correlates potentially unauthorized access events with actual configuration changes.

Response and Mitigation

  1. Upgrade Immediately: Apply the official patch by updating Antikor NGFW to version 2.0.1301 or later using the vendor’s official resources: https://www.epati.com.tr/en/products/antikor-next-generation-firewall/
  2. Restrict Management Access: Ensure management interfaces are only reachable from secure administrative networks or VPNs.
  3. Apply Access Controls: Use network ACLs or firewall rules to allow only known admin IP ranges.
  4. Enable MFA: Where supported, enable multi-factor authentication for administrative access.
  5. Monitor and Alert: Set up alerts for unexpected admin actions and unauthorized access attempts.
  6. Preserve Logs: Regularly export logs to secure storage for forensic review if needed.

MITRE / Weakness Mapping

  • CWE-306 — Missing Authentication for Critical Function: The firewall allows access to functionality without confirming a valid identity.

This weakness means that the security assumption — that certain functions require proof of identity — is violated directly by the code.

Proof-of-Concept and Exploit Availability

At present, there are no widely available public proof-of-concept exploits or payloads for CVE-2026-2624. Individuals researching or testing this vulnerability should only do so in controlled environments with explicit authorization, for educational or defensive validation purposes. Do not attempt exploitation on production systems or systems you do not own.

Summary

CVE-2026-2624 is a highly critical vulnerability in Antikor NGFW that lets unauthenticated network attackers reach administrative functionality. It affects a narrow range of versions and is fixed in Antikor NGFW 2.0.1301 or newer. Organizations using this product should prioritize upgrading, lock down management interfaces, and monitor for unexpected access. The potential impact of exploitation includes full compromise of firewall configurations and network defenses.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.