Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2021-40825

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-17 Sep, 2021 | 16:54
Updated At-04 Aug, 2024 | 02:51
Rejected At-
Credits

nLight ECLYPSE (nECY) system Controllers running software prior to 1.17.21245.754 contain a default key vulnerability. The nECY does not force a change to the key upon the initial configuration of an affected device. nECY system controllers utilize an encrypted channel to secure SensorViewTM configuration and monitoring software and nECY to nECY communications. Impacted devices are at risk of exploitation. A remote attacker with IP access to an impacted device could submit lighting control commands to the nECY by leveraging the default key. A successful attack may result in the attacker gaining the ability to modify lighting conditions or gain the ability to update the software on lighting devices. The impacted key is referred to as the SensorView Password in the nECY nLight Explorer Interface and the Gateway Password in the SensorView application. An attacker cannot authenticate to or modify the configuration or software of the nECY system controller.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:17 Sep, 2021 | 16:54
Updated At:04 Aug, 2024 | 02:51
Rejected At:
▼CVE Numbering Authority (CNA)

nLight ECLYPSE (nECY) system Controllers running software prior to 1.17.21245.754 contain a default key vulnerability. The nECY does not force a change to the key upon the initial configuration of an affected device. nECY system controllers utilize an encrypted channel to secure SensorViewTM configuration and monitoring software and nECY to nECY communications. Impacted devices are at risk of exploitation. A remote attacker with IP access to an impacted device could submit lighting control commands to the nECY by leveraging the default key. A successful attack may result in the attacker gaining the ability to modify lighting conditions or gain the ability to update the software on lighting devices. The impacted key is referred to as the SensorView Password in the nECY nLight Explorer Interface and the Gateway Password in the SensorView application. An attacker cannot authenticate to or modify the configuration or software of the nECY system controller.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.acuitybrands.com/products/detail/588952/nlight/necy-system-controller/nlight-eclypset-system-controller
x_refsource_MISC
https://insights.acuitybrands.com/psirt-blog-2369078/nlight-eclypse-default-key-vulnerabiliy
x_refsource_MISC
Hyperlink: https://www.acuitybrands.com/products/detail/588952/nlight/necy-system-controller/nlight-eclypset-system-controller
Resource:
x_refsource_MISC
Hyperlink: https://insights.acuitybrands.com/psirt-blog-2369078/nlight-eclypse-default-key-vulnerabiliy
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.acuitybrands.com/products/detail/588952/nlight/necy-system-controller/nlight-eclypset-system-controller
x_refsource_MISC
x_transferred
https://insights.acuitybrands.com/psirt-blog-2369078/nlight-eclypse-default-key-vulnerabiliy
x_refsource_MISC
x_transferred
Hyperlink: https://www.acuitybrands.com/products/detail/588952/nlight/necy-system-controller/nlight-eclypset-system-controller
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://insights.acuitybrands.com/psirt-blog-2369078/nlight-eclypse-default-key-vulnerabiliy
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:17 Sep, 2021 | 17:15
Updated At:04 Oct, 2021 | 16:07

nLight ECLYPSE (nECY) system Controllers running software prior to 1.17.21245.754 contain a default key vulnerability. The nECY does not force a change to the key upon the initial configuration of an affected device. nECY system controllers utilize an encrypted channel to secure SensorViewTM configuration and monitoring software and nECY to nECY communications. Impacted devices are at risk of exploitation. A remote attacker with IP access to an impacted device could submit lighting control commands to the nECY by leveraging the default key. A successful attack may result in the attacker gaining the ability to modify lighting conditions or gain the ability to update the software on lighting devices. The impacted key is referred to as the SensorView Password in the nECY nLight Explorer Interface and the Gateway Password in the SensorView application. An attacker cannot authenticate to or modify the configuration or software of the nECY system controller.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.6HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Primary2.05.0MEDIUM
AV:N/AC:L/Au:N/C:N/I:P/A:N
Type: Primary
Version: 3.1
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Type: Primary
Version: 2.0
Base score: 5.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N
CPE Matches
acuitybrands
acuitybrands
>>nlight_eclypse_system_controller>>-
cpe:2.3:h:acuitybrands:nlight_eclypse_system_controller:-:*:*:*:*:*:*:*
acuitybrands
acuitybrands
>>nlight_eclypse_system_controller_firmware>>Versions before 1.17.21245.754(exclusive)
cpe:2.3:o:acuitybrands:nlight_eclypse_system_controller_firmware:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-1188Primarynvd@nist.gov
CWE ID: CWE-1188
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://insights.acuitybrands.com/psirt-blog-2369078/nlight-eclypse-default-key-vulnerabiliycve@mitre.org
Vendor Advisory
https://www.acuitybrands.com/products/detail/588952/nlight/necy-system-controller/nlight-eclypset-system-controllercve@mitre.org
Product
Vendor Advisory
Hyperlink: https://insights.acuitybrands.com/psirt-blog-2369078/nlight-eclypse-default-key-vulnerabiliy
Source: cve@mitre.org
Resource:
Vendor Advisory
Hyperlink: https://www.acuitybrands.com/products/detail/588952/nlight/necy-system-controller/nlight-eclypset-system-controller
Source: cve@mitre.org
Resource:
Product
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

3Records found
CVE-2017-6750
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-7.5||HIGH
EPSS-0.75% / 72.15%
||
7 Day CHG~0.00%
Published-25 Jul, 2017 | 19:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in AsyncOS for the Cisco Web Security Appliance (WSA) could allow an unauthenticated, local attacker to log in to the device with the privileges of a limited user or an unauthenticated, remote attacker to authenticate to certain areas of the web GUI, aka a Static Credentials Vulnerability. Affected Products: virtual and hardware versions of Cisco Web Security Appliance (WSA). More Information: CSCve06124. Known Affected Releases: 10.1.0-204. Known Fixed Releases: 10.5.1-270.

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-web_security_virtual_applianceweb_security_applianceCisco Web Security Appliance
CWE ID-CWE-1188
Initialization of a Resource with an Insecure Default
CVE-2020-7685
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-5.4||MEDIUM
EPSS-0.45% / 62.68%
||
7 Day CHG~0.00%
Published-28 Jul, 2020 | 16:25
Updated-16 Sep, 2024 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insecure Defaults

This affects all versions of package UmbracoForms. When using the default configuration for upload forms, it is possible to upload arbitrary file types. The package offers a way for users to mitigate the issue. The users of this package can create a custom workflow and frontend validation that blocks certain file types, depending on their security needs and policies.

Action-Not Available
Vendor-n/aUmbraco A/S (Umbraco)
Product-umbraco_formsUmbracoForms
CWE ID-CWE-1188
Initialization of a Resource with an Insecure Default
CVE-2017-5491
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-1.50% / 80.39%
||
7 Day CHG~0.00%
Published-15 Jan, 2017 | 02:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name.

Action-Not Available
Vendor-n/aWordPress.org
Product-wordpressn/a
CWE ID-CWE-1188
Initialization of a Resource with an Insecure Default
Details not found