Missing Authentication for Critical Function in Secvest Wireless Alarm System FUAA50000 - CVE-2020-28973

 

Missing Authentication for Critical Function in Secvest Wireless Alarm System FUAA50000 - CVE-2020-28973

Published: April 26, 2021


Vulnerability identifier: #VU52558
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2020-28973
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: ABUS
Affected software:
Secvest Wireless Alarm System FUAA50000

Detailed vulnerability description

The vulnerability allows a remote attacker to gain unauthorized access to the device.

The vulnerability exists due to missing authentication checks for multiple scripts within the HTTP management interface of the device. A remote non-authenticated attacker can directly request certain scripts and obtain sensitive information, such as usernames and passwords. This information can then be used to reconfigure or disable the alarm system.


How to mitigate CVE-2020-28973

Install updates from vendor's website.

Sources