Vulnerability identifier: #VU51001
Vulnerability risk: High
CVSSv4.0: 6.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
ICX35-HWC-A
Hardware solutions /
Other hardware appliances
ICX35-HWC-E
Hardware solutions /
Other hardware appliances
Vendor: ProSoft Technology
Description
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to changing the password on the module webpage does not require the user to type in the current password first. A remote attacker can change the current user’s password and alter device configurations.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
ICX35-HWC-A: 1.9.62
ICX35-HWC-E: 1.9.62
External links
https://us-cert.cisa.gov/ics/advisories/icsa-21-056-04
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.