#VU28548 Missing Authentication for Critical Function in GE products - CVE-2020-12017
Published: June 3, 2020
Vulnerability identifier: #VU28548
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-12017
CWE-ID: CWE-306
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vulnerable software:
Reason RT430
Reason RT431
Reason RT434
Reason RT430
Reason RT431
Reason RT434
Software vendor:
GE
GE
Description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to an insufficient authentication mechanism in the web application. A remote attacker on the local network can send a specially crafted request to execute arbitrary commands, change the password of the "configuration" user account to modify the configuration of the device, or bypass the authentication required to configure the device and reboot the system.
Remediation
Install updates from vendor's website.