Privilege escalation in ProSoft Technology ICX35
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2021-22661 |
| CWE-ID | CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
ICX35-HWC-A Hardware solutions / Other hardware appliances ICX35-HWC-E Hardware solutions / Other hardware appliances |
| Vendor | ProSoft Technology |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU51001
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-22661
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to changing the password on the module webpage does not require the user to type in the current password first. A remote attacker can change the current user’s password and alter device configurations.
MitigationInstall updates from vendor's website.
Vulnerable software versionsICX35-HWC-A: 1.9.62
ICX35-HWC-E: 1.9.62
External linkshttp://us-cert.cisa.gov/ics/advisories/icsa-21-056-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
