Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2021-40342

Summary
Assigner-Hitachi Energy
Assigner Org ID-e383dce4-0c27-4495-91c4-0db157728d17
Published At-05 Jan, 2023 | 21:27
Updated At-10 Apr, 2025 | 14:07
Rejected At-
Credits

Use of default key for encryption

In the DES implementation, the affected product versions use a default key for encryption. Successful exploitation allows an attacker to obtain sensitive information and gain access to the network elements that are managed by the affected products versions. This issue affects * FOXMAN-UN product: FOXMAN-UN R16A, FOXMAN-UN R15B, FOXMAN-UN R15A, FOXMAN-UN R14B, FOXMAN-UN R14A, FOXMAN-UN R11B, FOXMAN-UN R11A, FOXMAN-UN R10C, FOXMAN-UN R9C; * UNEM product: UNEM R16A, UNEM R15B, UNEM R15A, UNEM R14B, UNEM R14A, UNEM R11B, UNEM R11A, UNEM R10C, UNEM R9C. List of CPEs: * cpe:2.3:a:hitachienergy:foxman-un:R16A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R9C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R16A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:*

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Hitachi Energy
Assigner Org ID:e383dce4-0c27-4495-91c4-0db157728d17
Published At:05 Jan, 2023 | 21:27
Updated At:10 Apr, 2025 | 14:07
Rejected At:
▼CVE Numbering Authority (CNA)
Use of default key for encryption

In the DES implementation, the affected product versions use a default key for encryption. Successful exploitation allows an attacker to obtain sensitive information and gain access to the network elements that are managed by the affected products versions. This issue affects * FOXMAN-UN product: FOXMAN-UN R16A, FOXMAN-UN R15B, FOXMAN-UN R15A, FOXMAN-UN R14B, FOXMAN-UN R14A, FOXMAN-UN R11B, FOXMAN-UN R11A, FOXMAN-UN R10C, FOXMAN-UN R9C; * UNEM product: UNEM R16A, UNEM R15B, UNEM R15A, UNEM R14B, UNEM R14A, UNEM R11B, UNEM R11A, UNEM R10C, UNEM R9C. List of CPEs: * cpe:2.3:a:hitachienergy:foxman-un:R16A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R9C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R16A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:*

Affected Products
Vendor
Hitachi Energy Ltd.Hitachi Energy
Product
FOXMAN-UN
Default Status
unaffected
Versions
Affected
  • FOXMAN-UN R16A
  • FOXMAN-UN R15B
  • FOXMAN-UN R15A
  • FOXMAN-UN R14B
  • FOXMAN-UN R14A
  • FOXMAN-UN R11B
  • FOXMAN-UN R11A
  • FOXMAN-UN R10C
  • FOXMAN-UN R9C
Vendor
Hitachi Energy Ltd.Hitachi Energy
Product
UNEM
Default Status
unaffected
Versions
Affected
  • UNEM R16A
  • UNEM R15B
  • UNEM R15A
  • UNEM R14B
  • UNEM R14A
  • UNEM R11B
  • UNEM R11A
  • UNEM R10C
  • UNEM R9C
Problem Types
TypeCWE IDDescription
CWECWE-798CWE-798 Use of Hard-coded Credentials
Type: CWE
CWE ID: CWE-798
Description: CWE-798 Use of Hard-coded Credentials
Metrics
VersionBase scoreBase severityVector
3.17.1HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Version: 3.1
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-20CAPEC-20 Encryption Brute Forcing
CAPEC ID: CAPEC-20
Description: CAPEC-20 Encryption Brute Forcing
Solutions
Configurations
Workarounds

The vulnerabilities are partially remediated in FOXMAN-UN R16A or UNEM R16A, the full remediation will be done in the upcoming release (planned). For immediate recommended mitigation actions if using FOXMAN-UN R16A or UNEM R16A, please refer to the Database contains credentials with weak encryption clause of section Mitigation Factors/Workarounds in the respective products' advisory. For immediate recommended mitigation actions if using FOXMAN-UN R15B or UNEM R15B and earlier, please refer to the multiple clauses of section Mitigation Factors/Workarounds in the advisory * Secure the NMS CLIENT/SERVER communication. * Embedded FOXCST with RADIUS authentication should be avoided. * Database contains credentials with weak encryption.

Exploits
Credits
reporter
K-Businessom AG, Austria
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://search.abb.com/library/Download.aspx?DocumentID=8DBD000083&LanguageCode=en&DocumentPartId=&Action=Launch
N/A
https://search.abb.com/library/Download.aspx?DocumentID=8DBD000084&LanguageCode=en&DocumentPartId=&Action=Launch
N/A
Hyperlink: https://search.abb.com/library/Download.aspx?DocumentID=8DBD000083&LanguageCode=en&DocumentPartId=&Action=Launch
Resource: N/A
Hyperlink: https://search.abb.com/library/Download.aspx?DocumentID=8DBD000084&LanguageCode=en&DocumentPartId=&Action=Launch
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://search.abb.com/library/Download.aspx?DocumentID=8DBD000083&LanguageCode=en&DocumentPartId=&Action=Launch
x_transferred
https://search.abb.com/library/Download.aspx?DocumentID=8DBD000084&LanguageCode=en&DocumentPartId=&Action=Launch
x_transferred
Hyperlink: https://search.abb.com/library/Download.aspx?DocumentID=8DBD000083&LanguageCode=en&DocumentPartId=&Action=Launch
Resource:
x_transferred
Hyperlink: https://search.abb.com/library/Download.aspx?DocumentID=8DBD000084&LanguageCode=en&DocumentPartId=&Action=Launch
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cybersecurity@hitachienergy.com
Published At:05 Jan, 2023 | 22:15
Updated At:07 Nov, 2023 | 03:38

In the DES implementation, the affected product versions use a default key for encryption. Successful exploitation allows an attacker to obtain sensitive information and gain access to the network elements that are managed by the affected products versions. This issue affects * FOXMAN-UN product: FOXMAN-UN R16A, FOXMAN-UN R15B, FOXMAN-UN R15A, FOXMAN-UN R14B, FOXMAN-UN R14A, FOXMAN-UN R11B, FOXMAN-UN R11A, FOXMAN-UN R10C, FOXMAN-UN R9C; * UNEM product: UNEM R16A, UNEM R15B, UNEM R15A, UNEM R14B, UNEM R14A, UNEM R11B, UNEM R11A, UNEM R10C, UNEM R9C. List of CPEs: * cpe:2.3:a:hitachienergy:foxman-un:R16A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R9C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R16A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:*

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.17.1HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CPE Matches
Hitachi Energy Ltd.
hitachienergy
>>foxman-un>>r9c
cpe:2.3:a:hitachienergy:foxman-un:r9c:*:*:*:*:*:*:*
Hitachi Energy Ltd.
hitachienergy
>>foxman-un>>r10c
cpe:2.3:a:hitachienergy:foxman-un:r10c:*:*:*:*:*:*:*
Hitachi Energy Ltd.
hitachienergy
>>foxman-un>>r11a
cpe:2.3:a:hitachienergy:foxman-un:r11a:*:*:*:*:*:*:*
Hitachi Energy Ltd.
hitachienergy
>>foxman-un>>r11b
cpe:2.3:a:hitachienergy:foxman-un:r11b:*:*:*:*:*:*:*
Hitachi Energy Ltd.
hitachienergy
>>foxman-un>>r14a
cpe:2.3:a:hitachienergy:foxman-un:r14a:*:*:*:*:*:*:*
Hitachi Energy Ltd.
hitachienergy
>>foxman-un>>r14b
cpe:2.3:a:hitachienergy:foxman-un:r14b:*:*:*:*:*:*:*
Hitachi Energy Ltd.
hitachienergy
>>foxman-un>>r15a
cpe:2.3:a:hitachienergy:foxman-un:r15a:*:*:*:*:*:*:*
Hitachi Energy Ltd.
hitachienergy
>>foxman-un>>r15b
cpe:2.3:a:hitachienergy:foxman-un:r15b:*:*:*:*:*:*:*
Hitachi Energy Ltd.
hitachienergy
>>foxman-un>>r16a
cpe:2.3:a:hitachienergy:foxman-un:r16a:*:*:*:*:*:*:*
Hitachi Energy Ltd.
hitachienergy
>>unem>>r9c
cpe:2.3:a:hitachienergy:unem:r9c:*:*:*:*:*:*:*
Hitachi Energy Ltd.
hitachienergy
>>unem>>r10c
cpe:2.3:a:hitachienergy:unem:r10c:*:*:*:*:*:*:*
Hitachi Energy Ltd.
hitachienergy
>>unem>>r11a
cpe:2.3:a:hitachienergy:unem:r11a:*:*:*:*:*:*:*
Hitachi Energy Ltd.
hitachienergy
>>unem>>r11b
cpe:2.3:a:hitachienergy:unem:r11b:*:*:*:*:*:*:*
Hitachi Energy Ltd.
hitachienergy
>>unem>>r14a
cpe:2.3:a:hitachienergy:unem:r14a:*:*:*:*:*:*:*
Hitachi Energy Ltd.
hitachienergy
>>unem>>r14b
cpe:2.3:a:hitachienergy:unem:r14b:*:*:*:*:*:*:*
Hitachi Energy Ltd.
hitachienergy
>>unem>>r15a
cpe:2.3:a:hitachienergy:unem:r15a:*:*:*:*:*:*:*
Hitachi Energy Ltd.
hitachienergy
>>unem>>r15b
cpe:2.3:a:hitachienergy:unem:r15b:*:*:*:*:*:*:*
Hitachi Energy Ltd.
hitachienergy
>>unem>>r16a
cpe:2.3:a:hitachienergy:unem:r16a:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-287Primarynvd@nist.gov
CWE-798Secondarycybersecurity@hitachienergy.com
CWE ID: CWE-287
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-798
Type: Secondary
Source: cybersecurity@hitachienergy.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://search.abb.com/library/Download.aspx?DocumentID=8DBD000083&LanguageCode=en&DocumentPartId=&Action=Launchcybersecurity@hitachienergy.com
Mitigation
Vendor Advisory
https://search.abb.com/library/Download.aspx?DocumentID=8DBD000084&LanguageCode=en&DocumentPartId=&Action=Launchcybersecurity@hitachienergy.com
Mitigation
Vendor Advisory
Hyperlink: https://search.abb.com/library/Download.aspx?DocumentID=8DBD000083&LanguageCode=en&DocumentPartId=&Action=Launch
Source: cybersecurity@hitachienergy.com
Resource:
Mitigation
Vendor Advisory
Hyperlink: https://search.abb.com/library/Download.aspx?DocumentID=8DBD000084&LanguageCode=en&DocumentPartId=&Action=Launch
Source: cybersecurity@hitachienergy.com
Resource:
Mitigation
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

1165Records found
CVE-2022-3927
Matching Score-10
Assigner-Hitachi Energy
ShareView Details
Matching Score-10
Assigner-Hitachi Energy
CVSS Score-8||HIGH
EPSS-0.14% / 35.45%
||
7 Day CHG~0.00%
Published-05 Jan, 2023 | 21:41
Updated-10 Apr, 2025 | 14:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
The affected products store public and private key that are used to sign and protect custom parameter set files from modification.

The affected products store both public and private key that are used to sign and protect Custom Parameter Set (CPS) file from modification. An attacker that manages to exploit this vulnerability will be able to change the CPS file, sign it so that it is trusted as the legitimate CPS file. This issue affects * FOXMAN-UN product: FOXMAN-UN R15B, FOXMAN-UN R15A, FOXMAN-UN R14B, FOXMAN-UN R14A, FOXMAN-UN R11B, FOXMAN-UN R11A, FOXMAN-UN R10C, FOXMAN-UN R9C; * UNEM product: UNEM R15B, UNEM R15A, UNEM R14B, UNEM R14A, UNEM R11B, UNEM R11A, UNEM R10C, UNEM R9C. List of CPEs: * cpe:2.3:a:hitachienergy:foxman-un:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R9C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:*

Action-Not Available
Vendor-Hitachi Energy Ltd.
Product-foxman-ununemUNEMFOXMAN-UN
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2022-3928
Matching Score-10
Assigner-Hitachi Energy
ShareView Details
Matching Score-10
Assigner-Hitachi Energy
CVSS Score-7.1||HIGH
EPSS-0.05% / 13.99%
||
7 Day CHG~0.00%
Published-05 Jan, 2023 | 21:50
Updated-10 Apr, 2025 | 13:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hardcoded credential is found in the message queue

Hardcoded credential is found in affected products' message queue. An attacker that manages to exploit this vulnerability will be able to access data to the internal message queue. This issue affects * FOXMAN-UN product: FOXMAN-UN R15B, FOXMAN-UN R15A, FOXMAN-UN R14B, FOXMAN-UN R14A, FOXMAN-UN R11B, FOXMAN-UN R11A, FOXMAN-UN R10C, FOXMAN-UN R9C; * UNEM product: UNEM R15B, UNEM R15A, UNEM R14B, UNEM R14A, UNEM R11B, UNEM R11A, UNEM R10C, UNEM R9C. List of CPEs: * cpe:2.3:a:hitachienergy:foxman-un:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R9C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:*

Action-Not Available
Vendor-Hitachi Energy Ltd.
Product-foxman-ununemUNEMFOXMAN-UN
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2021-40341
Matching Score-8
Assigner-Hitachi Energy
ShareView Details
Matching Score-8
Assigner-Hitachi Energy
CVSS Score-7.1||HIGH
EPSS-0.03% / 7.34%
||
7 Day CHG~0.00%
Published-05 Jan, 2023 | 21:26
Updated-10 Apr, 2025 | 13:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Weak DES encryption

DES cipher, which has inadequate encryption strength, is used Hitachi Energy FOXMAN-UN to encrypt user credentials used to access the Network Elements. Successful exploitation allows sensitive information to be decrypted easily. This issue affects  * FOXMAN-UN product: FOXMAN-UN R16A, FOXMAN-UN R15B, FOXMAN-UN R15A, FOXMAN-UN R14B, FOXMAN-UN R14A, FOXMAN-UN R11B, FOXMAN-UN R11A, FOXMAN-UN R10C, FOXMAN-UN R9C;  * UNEM product: UNEM R16A, UNEM R15B, UNEM R15A, UNEM R14B, UNEM R14A, UNEM R11B, UNEM R11A, UNEM R10C, UNEM R9C. List of CPEs:  * cpe:2.3:a:hitachienergy:foxman-un:R16A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R9C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R16A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:*

Action-Not Available
Vendor-Hitachi Energy Ltd.
Product-foxman-ununemUNEMFOXMAN-UN
CWE ID-CWE-326
Inadequate Encryption Strength
CVE-2022-3929
Matching Score-8
Assigner-Hitachi Energy
ShareView Details
Matching Score-8
Assigner-Hitachi Energy
CVSS Score-8.3||HIGH
EPSS-0.12% / 31.51%
||
7 Day CHG~0.00%
Published-05 Jan, 2023 | 21:54
Updated-10 Apr, 2025 | 13:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Communication between the client and server partially using CORBA over TCP/IP

Communication between the client and the server application of the affected products is partially done using CORBA (Common Object Request Broker Architecture) over TCP/IP. This protocol is not encrypted and allows tracing of internal messages. This issue affects * FOXMAN-UN product: FOXMAN-UN R15B, FOXMAN-UN R15A, FOXMAN-UN R14B, FOXMAN-UN R14A, FOXMAN-UN R11B, FOXMAN-UN R11A, FOXMAN-UN R10C, FOXMAN-UN R9C; * UNEM product: UNEM R15B, UNEM R15A, UNEM R14B, UNEM R14A, UNEM R11B, UNEM R11A, UNEM R10C, UNEM R9C. List of CPEs: * cpe:2.3:a:hitachienergy:foxman-un:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R9C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:*

Action-Not Available
Vendor-Hitachi Energy Ltd.
Product-foxman-ununemUNEMFOXMAN-UN
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2024-2011
Matching Score-8
Assigner-Hitachi Energy
ShareView Details
Matching Score-8
Assigner-Hitachi Energy
CVSS Score-8.6||HIGH
EPSS-0.44% / 62.10%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 13:24
Updated-15 Aug, 2024 | 21:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A heap-based buffer overflow vulnerability exists in the FOXMAN-UN/UNEM that if exploited will generally lead to a denial of service but can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy

Action-Not Available
Vendor-Hitachi Energy Ltd.
Product-foxman-ununemFOXMAN-UNUNEMfoxman-ununem
CWE ID-CWE-122
Heap-based Buffer Overflow
CWE ID-CWE-787
Out-of-bounds Write
CVE-2024-7940
Matching Score-8
Assigner-Hitachi Energy
ShareView Details
Matching Score-8
Assigner-Hitachi Energy
CVSS Score-8.3||HIGH
EPSS-0.16% / 37.40%
||
7 Day CHG~0.00%
Published-27 Aug, 2024 | 12:52
Updated-28 Aug, 2024 | 16:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The product exposes a service that is intended for local only to all network interfaces without any authentication.

Action-Not Available
Vendor-Hitachi Energy Ltd.
Product-microscada_x_sys600MicroSCADA SYS600microscada_x_sys600
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-2513
Matching Score-8
Assigner-Hitachi Energy
ShareView Details
Matching Score-8
Assigner-Hitachi Energy
CVSS Score-7.1||HIGH
EPSS-0.01% / 1.51%
||
7 Day CHG~0.00%
Published-22 Nov, 2022 | 10:30
Updated-01 May, 2025 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cleartext Credentials Vulnerability on Hitachi Energy’s Multiple IED Connectivity Packages (IED ConnPacks) and PCM600 Products

A vulnerability exists in the Intelligent Electronic Device (IED) Connectivity Package (ConnPack) credential storage function in Hitachi Energy’s PCM600 product included in the versions listed below, where IEDs credentials are stored in a cleartext format in the PCM600 database and logs files. An attacker having get access to the exported backup file can exploit the vulnerability and obtain user credentials of the IEDs. Additionally, an attacker with administrator access to the PCM600 host machine can obtain other user credentials by analyzing database log files. The credentials may be used to perform unauthorized modifications such as loading incorrect configurations, reboot the IEDs or cause a denial-of-service on the IEDs.

Action-Not Available
Vendor-Hitachi Energy Ltd.
Product-sam600ioconnectivitypackagepwc600connectivitypackagepcm600650connectivitypackage670connectivitypackagegms600connectivitypackagePWC600 Connectivity Package670 Connectivity PackageGMS600 Connectivity PackagePCM600SAM600-IO Connectivity Package650 Connectivity Package
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2019-5620
Matching Score-8
Assigner-Rapid7, Inc.
ShareView Details
Matching Score-8
Assigner-Rapid7, Inc.
CVSS Score-9.8||CRITICAL
EPSS-77.23% / 98.93%
||
7 Day CHG~0.00%
Published-29 Apr, 2020 | 22:15
Updated-17 Sep, 2024 | 03:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ABB MicroSCADA Pro SYS600 Missing Authentication for Critical Function

ABB MicroSCADA Pro SYS600 version 9.3 suffers from an instance of CWE-306: Missing Authentication for Critical Function.

Action-Not Available
Vendor-Hitachi Energy Ltd.Microsoft CorporationABB
Product-microscada_pro_sys600windows_7windows_xpMicroSCADA Pro SYS600
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-2012
Matching Score-8
Assigner-Hitachi Energy
ShareView Details
Matching Score-8
Assigner-Hitachi Energy
CVSS Score-9.1||CRITICAL
EPSS-0.22% / 45.22%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 13:16
Updated-15 Aug, 2024 | 21:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

vulnerability exists in the FOXMAN-UN/UNEM server / API Gateway that if exploited an attacker could use to allow unintended commands or code to be executed on the UNEM server allowing sensitive data to be read or modified or could cause other unintended behavior

Action-Not Available
Vendor-Hitachi Energy Ltd.
Product-foxman-ununemFOXMAN-UNUNEMfoxman_ununem
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2024-2244
Matching Score-6
Assigner-Hitachi Energy
ShareView Details
Matching Score-6
Assigner-Hitachi Energy
CVSS Score-5.3||MEDIUM
EPSS-0.17% / 38.62%
||
7 Day CHG~0.00%
Published-27 Mar, 2024 | 01:16
Updated-06 Aug, 2024 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

REST service authentication anomaly with “valid username/no password” credential combination for batch job processing resulting in successful service invocation. The anomaly doesn’t exist with other credential combinations.

Action-Not Available
Vendor-Hitachi Energy Ltd.
Product-Asset Suite EAMasset_suite
CWE ID-CWE-287
Improper Authentication
CVE-2023-4816
Matching Score-6
Assigner-Hitachi Energy
ShareView Details
Matching Score-6
Assigner-Hitachi Energy
CVSS Score-6.9||MEDIUM
EPSS-0.01% / 0.97%
||
7 Day CHG~0.00%
Published-11 Sep, 2023 | 07:40
Updated-25 Sep, 2024 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability exists in the Equipment Tag Out authentication, when configured with Single Sign-On (SSO) with password validation in T214. This vulnerability can be exploited by an authenticated user per-forming an Equipment Tag Out holder action (Accept, Release, and Clear) for another user and entering an arbitrary password in the holder action confirmation dialog box. Despite entering an arbitrary password in the confirmation box, the system will execute the selected holder action.

Action-Not Available
Vendor-Hitachi Energy Ltd.
Product-asset_suiteAsset Suite 9
CWE ID-CWE-287
Improper Authentication
CVE-2018-14805
Matching Score-6
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-6
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-1.32% / 79.04%
||
7 Day CHG~0.00%
Published-29 Aug, 2018 | 16:00
Updated-17 Sep, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ABB eSOMS version 6.0.2 may allow unauthorized access to the system when LDAP is set to allow anonymous authentication, and specific key values within the eSOMS web.config file are present. Both conditions are required to exploit this vulnerability.

Action-Not Available
Vendor-ICS-CERTHitachi Energy Ltd.
Product-esomsABB eSOMS
CWE ID-CWE-287
Improper Authentication
CVE-2021-40494
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.29% / 51.93%
||
7 Day CHG~0.00%
Published-03 Sep, 2021 | 01:35
Updated-04 Aug, 2024 | 02:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Hardcoded JWT Secret Key in metadata.py in AdaptiveScale LXDUI through 2.1.3 allows attackers to gain admin access to the host system.

Action-Not Available
Vendor-adaptivescalen/a
Product-lxduin/a
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2021-40507
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.11% / 30.09%
||
7 Day CHG~0.00%
Published-18 Apr, 2023 | 00:00
Updated-06 Feb, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the ALU unit of the OR1200 (aka OpenRISC 1200) processor 2011-09-10 through 2015-11-11. The overflow flag is not being updated correctly for the subtract instruction, which results in an incorrect value in the overflow flag. Any software that relies on this flag may experience corruption in execution.

Action-Not Available
Vendor-openriscn/a
Product-or1200_firmwareor1200n/a
CWE ID-CWE-287
Improper Authentication
CVE-2021-40597
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.64% / 69.57%
||
7 Day CHG~0.00%
Published-29 Jun, 2022 | 19:44
Updated-04 Aug, 2024 | 02:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The firmware of EDIMAX IC-3140W Version 3.11 is hardcoded with Administrator username and password.

Action-Not Available
Vendor-n/aEdimax Technology Company Ltd.
Product-ic-3140wic-3140w_firmwaren/a
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2024-43685
Matching Score-4
Assigner-Microchip Technology
ShareView Details
Matching Score-4
Assigner-Microchip Technology
CVSS Score-8.7||HIGH
EPSS-0.18% / 40.54%
||
7 Day CHG~0.00%
Published-04 Oct, 2024 | 19:48
Updated-17 Oct, 2024 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Session token fixation in TimeProvider 4100

Improper Authentication vulnerability in Microchip TimeProvider 4100 (login modules) allows Session Hijacking.This issue affects TimeProvider 4100: from 1.0 before 2.4.7.

Action-Not Available
Vendor-microchipMicrochipmicrochip
Product-timeprovider_4100timeprovider_4100_firmwareTimeProvider 4100timeprovider_4100_firmware
CWE ID-CWE-287
Improper Authentication
CVE-2019-3932
Matching Score-4
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-4
Assigner-Tenable Network Security, Inc.
CVSS Score-9.8||CRITICAL
EPSS-8.30% / 91.90%
||
7 Day CHG~0.00%
Published-30 Apr, 2019 | 20:30
Updated-04 Aug, 2024 | 19:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to authentication bypass due to a hard-coded password in return.tgi. A remote, unauthenticated attacker can use this vulnerability to control external devices via the uart_bridge.

Action-Not Available
Vendor-Crestron Electronics, Inc.
Product-am-101am-100am-101_firmwaream-100_firmwareCrestron AirMedia
CWE ID-CWE-249
DEPRECATED: Often Misused: Path Manipulation
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2019-3927
Matching Score-4
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-4
Assigner-Tenable Network Security, Inc.
CVSS Score-9.8||CRITICAL
EPSS-2.15% / 83.55%
||
7 Day CHG~0.00%
Published-30 Apr, 2019 | 20:15
Updated-04 Aug, 2024 | 19:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 anyone can change the administrator and moderator passwords via the iso.3.6.1.4.1.3212.100.3.2.8.1 and iso.3.6.1.4.1.3212.100.3.2.8.2 OIDs. A remote, unauthenticated attacker can use this vulnerability to change the admin or moderator user's password and gain access to restricted areas on the HTTP interface.

Action-Not Available
Vendor-Crestron Electronics, Inc.
Product-am-101am-100am-101_firmwaream-100_firmwareCrestron AirMedia
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-287
Improper Authentication
CVE-2024-42462
Matching Score-4
Assigner-upKeeper Solutions
ShareView Details
Matching Score-4
Assigner-upKeeper Solutions
CVSS Score-10||CRITICAL
EPSS-0.22% / 45.10%
||
7 Day CHG~0.00%
Published-16 Aug, 2024 | 13:22
Updated-28 Aug, 2024 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bypass multifactor authentication

Improper Authentication vulnerability in upKeeper Solutions product upKeeper Manager allows Authentication Bypass.This issue affects upKeeper Manager: through 5.1.9.

Action-Not Available
Vendor-upkeeperupKeeper Solutionsupkeeper
Product-upkeeper_managerupKeeper Managerupkeeper_manager
CWE ID-CWE-287
Improper Authentication
CVE-2019-3939
Matching Score-4
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-4
Assigner-Tenable Network Security, Inc.
CVSS Score-9.8||CRITICAL
EPSS-4.23% / 88.30%
||
7 Day CHG~0.00%
Published-30 Apr, 2019 | 20:40
Updated-04 Aug, 2024 | 19:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 use default credentials admin/admin and moderator/moderator for the web interface. An unauthenticated, remote attacker can use these credentials to gain privileged access to the device.

Action-Not Available
Vendor-Crestron Electronics, Inc.
Product-am-101am-100am-101_firmwaream-100_firmwareCrestron AirMedia
CWE ID-CWE-16
Not Available
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2021-41303
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-61.81% / 98.27%
||
7 Day CHG~0.00%
Published-17 Sep, 2021 | 08:20
Updated-04 Aug, 2024 | 03:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.

Action-Not Available
Vendor-The Apache Software FoundationOracle Corporation
Product-shirofinancial_services_crime_and_compliance_management_studioApache Shiro
CWE ID-CWE-287
Improper Authentication
CVE-2025-8730
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-9.3||CRITICAL
EPSS-9.55% / 92.54%
||
7 Day CHG~0.00%
Published-08 Aug, 2025 | 14:32
Updated-08 Aug, 2025 | 20:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Belkin F9K1009/F9K1010 Web Interface hard-coded credentials

A vulnerability was found in Belkin F9K1009 and F9K1010 2.00.04/2.00.09 and classified as critical. Affected by this issue is some unknown functionality of the component Web Interface. The manipulation leads to hard-coded credentials. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Belkin International, Inc.
Product-F9K1009F9K1010
CWE ID-CWE-259
Use of Hard-coded Password
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2024-42638
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.22% / 44.79%
||
7 Day CHG~0.00%
Published-16 Aug, 2024 | 00:00
Updated-17 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

H3C Magic B1ST v100R012 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.

Action-Not Available
Vendor-n/aNew H3C Technologies Co., Ltd.
Product-magic_b1st_firmwaremagic_b1stn/a
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2021-40874
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.35% / 56.85%
||
7 Day CHG~0.00%
Published-17 Jul, 2022 | 23:16
Updated-04 Aug, 2024 | 02:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using the RESTServer plug-in to operate a REST password validation service (for another LemonLDAP::NG instance, for example) and using the Kerberos authentication method combined with another method with the Combination authentication plug-in, any password will be recognized as valid for an existing user.

Action-Not Available
Vendor-lemonldap-ngn/aDebian GNU/Linux
Product-lemonldap\debian_linuxn/a
CWE ID-CWE-287
Improper Authentication
CVE-2024-42637
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.22% / 44.79%
||
7 Day CHG~0.00%
Published-16 Aug, 2024 | 00:00
Updated-27 May, 2025 | 16:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

H3C R3010 v100R002L02 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.

Action-Not Available
Vendor-n/aNew H3C Technologies Co., Ltd.
Product-r3010r3010_firmwaren/ar3010_firmware
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2024-43423
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.3||CRITICAL
EPSS-0.17% / 39.06%
||
7 Day CHG~0.00%
Published-24 Sep, 2024 | 23:47
Updated-01 Oct, 2024 | 15:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Dover Fueling Solutions ProGauge MAGLINK LX CONSOLE Use of Hard-coded Password

The web application for ProGauge MAGLINK LX4 CONSOLE contains an administrative-level user account with a password that cannot be changed.

Action-Not Available
Vendor-doverfuelingsolutionsDover Fueling Solutions (DFS)doverfuelingsolutions
Product-progauge_maglink_lx4_consoleprogauge_maglink_lx_console_firmwareprogauge_maglink_lx_consoleprogauge_maglink_lx4_console_firmwareProGauge MAGLINK LX CONSOLEProGauge MAGLINK LX4 CONSOLEmaglink_lx4_consolemaglink_lx_console
CWE ID-CWE-259
Use of Hard-coded Password
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2019-3918
Matching Score-4
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-4
Assigner-Tenable Network Security, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.35% / 56.44%
||
7 Day CHG~0.00%
Published-05 Mar, 2019 | 21:00
Updated-16 Sep, 2024 | 22:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BOZJ19 contains multiple hard coded credentials for the Telnet and SSH interfaces.

Action-Not Available
Vendor-Tenable, Inc.Nokia Corporation
Product-i-240w-q_gpon_ont_firmwarei-240w-q_gpon_ontAlcatel Lucent I-240W-Q GPON ONT
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2024-41161
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.7||HIGH
EPSS-0.55% / 67.05%
||
7 Day CHG~0.00%
Published-08 Aug, 2024 | 17:49
Updated-20 Aug, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vonets WiFi Bridges Use of Hard-coded Credentials

Use of hard-coded credentials vulnerability affecting Vonets industrial wifi bridge relays and wifi bridge repeaters, software versions 3.3.23.6.9 and prior, enables an unauthenticated remote attacker to bypass authentication using hard-coded administrator credentials. These accounts cannot be disabled.

Action-Not Available
Vendor-vonetsVonetsvonets
Product-vap11g-500s_firmwarevap11g-500_firmwarevga-1000var1200-hvap11n-300_firmwarevar1200-l_firmwarevbg1200var1200-lvap11g-500svap11ac_firmwarevar600-h_firmwarevap11s-5g_firmwarevga-1000_firmwarevar1200-h_firmwarevap11n-300vap11g-500vap11g-300_firmwarevar11n-300vap11s-5gvap11g-300vap11s_firmwarevap11gvap11acvbg1200_firmwarevap11svap11g_firmwarevar600-hvar11n-300_firmwareVAP11S-5GVAP11N-300VBG1200VAP11GVAR11N-300VGA-1000VAR1200-LVAR1200-HVAP11SVAP11G-300VAP11G-500VAP11G-500SVAP11ACVAR600-Hvap11g-500s_firmwarevap11n-300_firmwarevap11s_firmwarevar1200-l_firmwarevbg1200_firmwarevap11ac_firmwarevar600-h_firmwarevap11s-5g_firmwarevga-1000_firmwarevap11g_firmwarevar1200-h_firmwarevap11g-300_firmwarevar11n-300_firmware
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2024-41798
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-9.3||CRITICAL
EPSS-0.20% / 42.01%
||
7 Day CHG~0.00%
Published-08 Oct, 2024 | 08:40
Updated-10 Oct, 2024 | 12:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SENTRON 7KM PAC3200 (All versions). Affected devices only provide a 4-digit PIN to protect from administrative access via Modbus TCP interface. Attackers with access to the Modbus TCP interface could easily bypass this protection by brute-force attacks or by sniffing the Modbus clear text communication.

Action-Not Available
Vendor-Siemens AG
Product-SENTRON 7KM PAC3200sentron_pac3200
CWE ID-CWE-287
Improper Authentication
CVE-2024-41195
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.03% / 7.88%
||
7 Day CHG~0.00%
Published-22 May, 2025 | 00:00
Updated-30 May, 2025 | 01:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in Ocuco Innovation - INNOVASERVICEINTF.EXE v2.10.24.17 allows attackers to bypass authentication and escalate privileges to Administrator via a crafted TCP packet.

Action-Not Available
Vendor-ocucon/a
Product-innovationn/a
CWE ID-CWE-287
Improper Authentication
CVE-2021-4073
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-2.50% / 84.72%
||
7 Day CHG~0.00%
Published-14 Dec, 2021 | 15:50
Updated-14 Feb, 2025 | 17:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RegistrationMagic <= 5.0.1.7 Authentication Bypass

The RegistrationMagic WordPress plugin made it possible for unauthenticated users to log in as any site user, including administrators, if they knew a valid username on the site due to missing identity validation in the social login function social_login_using_email() of the plugin. This affects versions equal to, and less than, 5.0.1.7.

Action-Not Available
Vendor-Metagauss Inc.
Product-registrationmagicRegistrationMagic
CWE ID-CWE-287
Improper Authentication
CVE-2019-20933
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-93.11% / 99.78%
||
7 Day CHG-0.79%
Published-19 Nov, 2020 | 01:50
Updated-05 Aug, 2024 | 03:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).

Action-Not Available
Vendor-influxdatan/aDebian GNU/Linux
Product-influxdbdebian_linuxn/a
CWE ID-CWE-287
Improper Authentication
CVE-2024-39374
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.3||CRITICAL
EPSS-0.15% / 36.32%
||
7 Day CHG~0.00%
Published-27 Jun, 2024 | 16:03
Updated-17 Sep, 2024 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Use of Hard-coded Credentials in TELSAT marKoni FM Transmitter

TELSAT marKoni FM Transmitters are vulnerable to an attacker exploiting a hidden admin account that can be accessed through the use of hard-coded credentials.

Action-Not Available
Vendor-markonimarKonimarkoni
Product-markoni-dh_\(exciter\+amplifiers\)_firmwaremarkoni-d_\(compact\)_firmwaremarkoni-dh_\(exciter\+amplifiers\)markoni-d_\(compact\)Markoni-D (Compact) FM TransmittersMarkoni-DH (Exciter+Amplifiers) FM Transmittersmarkoni-dh_fm_transmittermarkoni-d_fm_transmitter
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2021-40350
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.40% / 59.77%
||
7 Day CHG~0.00%
Published-01 Sep, 2021 | 14:22
Updated-04 Aug, 2024 | 02:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

webctrl.cgi.elf on Christie Digital DWU850-GS V06.46 devices allows attackers to perform any desired action via a crafted query containing an unspecified Cookie header. Authentication bypass can be achieved by including an administrative cookie that the device does not validate.

Action-Not Available
Vendor-christiedigitaln/a
Product-dwu850-gsdwu850-gs_firmwaren/a
CWE ID-CWE-287
Improper Authentication
CVE-2019-20786
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.22% / 78.22%
||
7 Day CHG~0.00%
Published-19 Apr, 2020 | 19:57
Updated-05 Aug, 2024 | 02:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

handleIncomingPacket in conn.go in Pion DTLS before 1.5.2 lacks a check for application data with epoch 0, which allows remote attackers to inject arbitrary unencrypted data after handshake completion.

Action-Not Available
Vendor-pionn/a
Product-dtlsn/a
CWE ID-CWE-287
Improper Authentication
CVE-2025-7574
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-9.3||CRITICAL
EPSS-0.16% / 37.71%
||
7 Day CHG~0.00%
Published-14 Jul, 2025 | 05:02
Updated-15 Jul, 2025 | 13:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LB-LINK BL-WR9000 Web Interface lighttpd.cgi restore improper authentication

A vulnerability, which was classified as critical, was found in LB-LINK BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P and BL-WR9000 up to 20250702. Affected is the function reboot/restore of the file /cgi-bin/lighttpd.cgi of the component Web Interface. The manipulation leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-LB-LINK
Product-BL-AX1800BL-AX5400PBL-AC3600BL-AC1900BL-AC2100_AZ3BL-WR9000
CWE ID-CWE-287
Improper Authentication
CVE-2024-38466
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.11% / 30.29%
||
7 Day CHG~0.00%
Published-16 Jun, 2024 | 00:00
Updated-19 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Shenzhen Guoxin Synthesis image system before 8.3.0 has a 123456Qw default password.

Action-Not Available
Vendor-guoxinledn/a
Product-synthesis_image_systemn/a
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2018-10683
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 59.34%
||
7 Day CHG~0.00%
Published-09 May, 2018 | 08:00
Updated-05 Aug, 2024 | 07:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in WildFly 10.1.2.Final. In the case of a default installation without a security realm reference, an attacker can successfully access the server without authentication. NOTE: the Security Realms documentation in the product's Admin Guide indicates that "without a security realm reference" implies "effectively unsecured." The vendor explicitly supports these unsecured configurations because they have valid use cases during development

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-wildflyn/a
CWE ID-CWE-287
Improper Authentication
CVE-2021-40390
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-10||CRITICAL
EPSS-0.31% / 53.65%
||
7 Day CHG~0.00%
Published-14 Apr, 2022 | 19:56
Updated-15 Apr, 2025 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An authentication bypass vulnerability exists in the Web Application functionality of Moxa MXView Series 3.2.4. A specially-crafted HTTP request can lead to unauthorized access. An attacker can send an HTTP request to trigger this vulnerability.

Action-Not Available
Vendor-Moxa Inc.
Product-mxviewMXView Series
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2019-20033
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.36% / 57.62%
||
7 Day CHG~0.00%
Published-29 Jul, 2020 | 17:30
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

On Aspire-derived NEC PBXes, including all versions of SV8100 devices, a set of documented, static login credentials may be used to access the DIM interface.

Action-Not Available
Vendor-n/aNEC Corporation
Product-sv8100_firmwaresv8100n/a
CWE ID-CWE-287
Improper Authentication
CVE-2019-19518
Matching Score-4
Assigner-CA Technologies - A Broadcom Company
ShareView Details
Matching Score-4
Assigner-CA Technologies - A Broadcom Company
CVSS Score-9.8||CRITICAL
EPSS-1.29% / 78.79%
||
7 Day CHG~0.00%
Published-08 Jan, 2020 | 15:57
Updated-05 Aug, 2024 | 02:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CA Automic Sysload 5.6.0 through 6.1.2 contains a vulnerability, related to a lack of authentication on the File Server port, that potentially allows remote attackers to execute arbitrary commands.

Action-Not Available
Vendor-n/aBroadcom Inc.
Product-ca_automic_sysloadCA Automic Sysload
CWE ID-CWE-287
Improper Authentication
CVE-2019-20062
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.37% / 58.08%
||
7 Day CHG~0.00%
Published-10 Feb, 2020 | 12:17
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MFScripts YetiShare v3.5.2 through v4.5.4 might allow an attacker to reset a password by using a leaked hash (the hash never expires until used).

Action-Not Available
Vendor-mfscriptsn/a
Product-yetisharen/a
CWE ID-CWE-287
Improper Authentication
CVE-2019-20481
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.6||MEDIUM
EPSS-0.29% / 52.24%
||
7 Day CHG~0.00%
Published-24 Feb, 2020 | 14:35
Updated-05 Aug, 2024 | 02:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In MIELE XGW 3000 ZigBee Gateway before 2.4.0, the Password Change Function does not require knowledge of the old password. This can be exploited in conjunction with CVE-2019-20480.

Action-Not Available
Vendor-mielen/a
Product-xgw_3000_zigbee_gatewayxgw_3000_zigbee_gateway_firmwaren/a
CWE ID-CWE-287
Improper Authentication
CVE-2019-19521
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.81% / 73.29%
||
7 Day CHG~0.00%
Published-04 Dec, 2019 | 23:33
Updated-05 Aug, 2024 | 02:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

libc in OpenBSD 6.6 allows authentication bypass via the -schallenge username, as demonstrated by smtpd, ldapd, or radiusd. This is related to gen/auth_subr.c and gen/authenticate.c in libc (and login/login.c and xenocara/app/xenodm/greeter/verify.c).

Action-Not Available
Vendor-n/aOpenBSD
Product-openbsdn/a
CWE ID-CWE-287
Improper Authentication
CVE-2021-40506
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.11% / 30.09%
||
7 Day CHG~0.00%
Published-18 Apr, 2023 | 00:00
Updated-06 Feb, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the ALU unit of the OR1200 (aka OpenRISC 1200) processor 2011-09-10 through 2015-11-11. The overflow flag is not being updated for the msb and mac instructions, which results in an incorrect value in the overflow flag. Any software that relies on this flag may experience corruption in execution.

Action-Not Available
Vendor-openriscn/a
Product-or1200_firmwareor1200n/a
CWE ID-CWE-287
Improper Authentication
CVE-2021-40903
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-16.46% / 94.63%
||
7 Day CHG~0.00%
Published-17 Jun, 2022 | 13:46
Updated-04 Aug, 2024 | 02:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in Antminer Monitor 0.50.0 exists because of backdoor or misconfiguration inside a settings file in flask server. Settings file has a predefined secret string, which would be randomly generated, however it is static.

Action-Not Available
Vendor-antminer_monitor_projectn/a
Product-antminer_monitorn/a
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2025-7401
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.27% / 50.60%
||
7 Day CHG~0.00%
Published-11 Jul, 2025 | 04:22
Updated-15 Jul, 2025 | 13:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Premium Age Verification / Restriction for WordPress <= 3.0.2 - Unauthenticated Arbitrary File Read and Write via remote_tunnel.php

The Premium Age Verification / Restriction for WordPress plugin for WordPress is vulnerable to arbitrary file read and write due to the existence of an insufficiently protected remote support functionality in remote_tunnel.php in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers to read from or write to arbitrary files on the affected site's server which may make the exposure of sensitive information or remote code execution possible.

Action-Not Available
Vendor-aa-team
Product-Premium Age Verification / Restriction for WordPress
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2019-19825
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.62% / 69.04%
||
7 Day CHG~0.00%
Published-27 Jan, 2020 | 16:50
Updated-05 Aug, 2024 | 02:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

On certain TOTOLINK Realtek SDK based routers, the CAPTCHA text can be retrieved via an {"topicurl":"setting/getSanvas"} POST to the boafrm/formLogin URI, leading to a CAPTCHA bypass. (Also, the CAPTCHA text is not needed once the attacker has determined valid credentials. The attacker can perform router actions via HTTP requests with Basic Authentication.) This affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a702r_firmwarea3002ru_firmwaren300rt_firmwarea3002run150rtn200ren301rt_firmwaren302ra702rn301rtn150rt_firmwaren200re_firmwaren300rtn302r_firmwaren100re_firmwaren100ren/a
CWE ID-CWE-287
Improper Authentication
CVE-2019-20046
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.17% / 38.48%
||
7 Day CHG~0.00%
Published-14 Feb, 2020 | 16:18
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Synergy Systems & Solutions PLC & RTU system has a vulnerability in HUSKY RTU 6049-E70 firmware versions 5.0 and prior. The affected product does not require adequate authentication, which may allow an attacker to read sensitive information or execute arbitrary code. This is a different issue than CVE-2019-16879 and CVE-2019-20045.

Action-Not Available
Vendor-s3indian/a
Product-husky_rtu_6049-e70_firmwarehusky_rtu_6049-e70n/a
CWE ID-CWE-287
Improper Authentication
CVE-2018-10682
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-8.37% / 91.92%
||
7 Day CHG~0.00%
Published-09 May, 2018 | 08:00
Updated-05 Aug, 2024 | 07:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in WildFly 10.1.2.Final. It is possible for an attacker to access the administration panel on TCP port 9990 without any authentication using "anonymous" access that is automatically created. Once logged in, a misconfiguration present by default (auto-deployment) permits an anonymous user to deploy a malicious .war file, leading to remote code execution. NOTE: the vendor indicates that anonymous access is not available in the default installation; however, it remains optional because there are several use cases for it, including development environments and network architectures that have a proxy server for access control to the WildFly server

Action-Not Available
Vendor-wildflyn/awildfly
Product-wildflyn/awildfly
CWE ID-CWE-287
Improper Authentication
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 23
  • 24
  • Next
Details not found