#VU24933 Insufficiently protected credentials in C-More Touch Panels EA9 series
Vulnerability identifier: #VU24933
Vulnerability risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-522
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
C-More Touch Panels EA9 series
Hardware solutions /
Other hardware appliances
Vendor: AutomationDirect
Description
The vulnerability allows a remote attacker to access the target system and manipulate system configurations.
The vulnerability exists due to the affected software allows to unmask credentials and other sensitive information on “unprotected” project files. A remote attacker can get account information such as usernames and passwords, obscure or manipulate process data and lock out access to the device.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
C-More Touch Panels EA9 series: 5.0 - 6.52
External links
http://ics-cert.us-cert.gov/advisories/icsa-20-035-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
