How to Fix CVE-2026-27754: SODOLA SL902-SWTGW124AS (Bundle Sibling)

By Sai Kiran Pandrala. Last verified: 2026-05-25.

CVE-2026-27754 is a sibling vulnerability in the same vendor advisory as CVE-2026-27751. Apply the same patched build and you close both. The technical detail below is what differs.

What's different about CVE-2026-27754?

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 use the cryptographically broken MD5 hash function for session cookie generation, weakening session security. Attackers can exploit predictable session tokens combined with MD5's collision vulnerabilities to forge valid session cookies and gain unauthorized access to the device.

How to fix CVE-2026-27754

Apply the patched build per the primary write-up: How to Fix CVE-2026-27751. All commands, verification steps, and rollback notes for SODOLA SL902-SWTGW124AS are listed there.

Frequently asked questions

Does the CVE-2026-27751 patch close CVE-2026-27754?

Yes. Both CVEs are addressed by the same vendor patch. Applying the patched build closes the full bundle.

Is CVE-2026-27754 listed in CISA KEV?

No public KEV listing at the time of this writing.

Where is the official advisory?

See https://www.sodola-network.com/products/sodola-6-port-2-5g-easy-web-managed-switch-4-x-2-5g-base-t-ports-2-x-10g-sfp-static-aggregation-qos-vlan-igmp-2-5gb-network-home-lab-switch

References

• Official vendor advisory: https://www.sodola-network.com/products/sodola-6-port-2-5g-easy-web-managed-switch-4-x-2-5g-base-t-ports-2-x-10g-sfp-static-aggregation-qos-vlan-igmp-2-5gb-network-home-lab-switch
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27754
• CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• Primary: How to Fix CVE-2026-27751

*Written by Sai Kiran Pandrala. Part of the SODOLA SL902-SWTGW124AS bundle. Full procedure at how-to-fix-cve-2026-27751.*