Insufficiently protected credentials in AutomationDirect C-More Touch Panels



Published: 2020-02-05
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-6969
CWE-ID CWE-522
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		C-More Touch Panels EA9 series
Hardware solutions / Other hardware appliances

Vendor AutomationDirect

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Insufficiently protected credentials

EUVDB-ID: #VU24933

Risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-6969

CWE-ID: CWE-522 - Insufficiently Protected Credentials

Exploit availability: No

Description

The vulnerability allows a remote attacker to access the target system and manipulate system configurations.

The vulnerability exists due to the affected software allows to unmask credentials and other sensitive information on “unprotected” project files. A remote attacker can get account information such as usernames and passwords, obscure or manipulate process data and lock out access to the device.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

C-More Touch Panels EA9 series: 5.0 - 6.52

External links

http://ics-cert.us-cert.gov/advisories/icsa-20-035-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###