CWE-285: IMPROPER AUTHORIZATION

Certain MQTT wildcards are not blocked on the system, which might result in an attacker obtaining data from throughout the system after gaining access to any device.

Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.

CWE-321: USE OF HARD-CODED CRYPTOGRAPHIC KEY

The devices Power Panel manages use identical certificates based on a hard-coded cryptographic key. This can allow an attacker to impersonate any client in the system and send malicious data.

Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.

CWE-89: IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND ('SQL INJECTION')

An attacker with certain MQTT permissions can create malicious messages to all Power Panel devices. This could result in an attacker injecting SQL syntax, writing arbitrary files to the system, and executing remote code.

Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.

CWE-257: STORING PASSWORDS IN A RECOVERABLE FORMAT

The key used to encrypt passwords stored in the database can be found in the application code, allowing the passwords to be recovered.

Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.

CWE-489: ACTIVE DEBUG CODE

Hard-coded credentials for the test server can be found in the production code. This might result in an attacker gaining access to the testing or production server.

Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.

CWE-798: USE OF HARD-CODED CREDENTIALS

Hard-coded credentials are used by the platform to authenticate to the database, other services, and the cloud. This could result in an attacker gaining access to services with the privileges of a Powerpanel application.

Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.

CWE-23: RELATIVE PATH TRAVERSAL

A specially crafted Zip file containing path traversal characters can be imported to the server, which allows file writing to the server outside the intended scope, and could allow an attacker to achieve remote code execution.

Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.

CWE-259: USE OF HARD-CODED PASSWORD

The application code contains a hard-coded set of authentication credentials. This could result in an attacker bypassing authentication and gaining administrator privileges.

Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.

CWE-36: Absolute Path Traversal

Successful exploitation of this vulnerability could allow an attacker to read from the Experion controllers or SMSC S300. This exploit could be used to read files from the controller that may expose limited information from the device.

CWE-749: Exposed Dangerous Method or Function

Successful exploitation of this vulnerability could allow an attacker to modify files on Experion controllers or SMSC S300. This exploit could be used to write a file that may result in unexpected behavior based on configuration changes or updating of files that could result in subsequent execution of a malicious application if triggered.

CWE-284 IMPROPER ACCESS CONTROL:

The entire parent directory - C:\ScadaPro and its sub-directories and files are configured by default to allow users, including unprivileged users, to write or overwrite files.

Measuresoft recommends that users manually reconfigure the vulnerable directories so that they are not writable by everyone.

CWE-256: Plaintext Storage of a Password

In Automation-Direct C-MORE EA9 HMI credentials used by the platform are stored as plain text on the device.

AutomationDirect recommends that users update C-MORE EA9 HMI to V6.78

Affected versions:

• C-MORE EA9 HMI EA9-T6CL: Version 6.77 and prior
• C-MORE EA9 HMI EA9-T7CL: Version 6.77 and prior
• C-MORE EA9 HMI EA0-T7CL-R: Version 6.77 and prior
• C-MORE EA9 HMI EA9-T8CL: Version 6.77 and prior
• C-MORE EA9 HMI EA9-T10CL: Version 6.77 and prior
• C-MORE EA9 HMI EA9-T10WCL: Version 6.77 and prior
• C-MORE EA9 HMI EA9-T12CL: Version 6.77 and prior
• C-MORE EA9 HMI EA9-T15CL: Version 6.77 and prior
• C-MORE EA9 HMI EA9-T15CL-R: Version 6.77 and prior
• C-MORE EA9 HMI EA9-RHMI: Version 6.77 and prior
• C-MORE EA9 HMI EA9-PGMSW: Version 6.77 and prior

CWE-121: Stack-based Buffer Overflow

In Automation-Direct C-MORE EA9 HMI there is a program that copies a buffer of a size controlled by the user into a limited sized buffer on the stack which leads to a stack overflow. The result of this stack-based buffer overflow will lead to a denial-of-service conditions.

AutomationDirect recommends that users update C-MORE EA9 HMI to V6.78

Affected versions:

• C-MORE EA9 HMI EA9-T6CL: Version 6.77 and prior
• C-MORE EA9 HMI EA9-T7CL: Version 6.77 and prior
• C-MORE EA9 HMI EA0-T7CL-R: Version 6.77 and prior
• C-MORE EA9 HMI EA9-T8CL: Version 6.77 and prior
• C-MORE EA9 HMI EA9-T10CL: Version 6.77 and prior
• C-MORE EA9 HMI EA9-T10WCL: Version 6.77 and prior
• C-MORE EA9 HMI EA9-T12CL: Version 6.77 and prior
• C-MORE EA9 HMI EA9-T15CL: Version 6.77 and prior
• C-MORE EA9 HMI EA9-T15CL-R: Version 6.77 and prior
• C-MORE EA9 HMI EA9-RHMI: Version 6.77 and prior
• C-MORE EA9 HMI EA9-PGMSW: Version 6.77 and prior

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

There is a function in Automation-Direct C-MORE EA9 HMI that allows an attacker to send a relative path in the URL without proper sanitizing of the content.

AutomationDirect recommends that users update C-MORE EA9 HMI to V6.78

Affected versions:

• C-MORE EA9 HMI EA9-T6CL: Version 6.77 and prior
• C-MORE EA9 HMI EA9-T7CL: Version 6.77 and prior
• C-MORE EA9 HMI EA0-T7CL-R: Version 6.77 and prior
• C-MORE EA9 HMI EA9-T8CL: Version 6.77 and prior
• C-MORE EA9 HMI EA9-T10CL: Version 6.77 and prior
• C-MORE EA9 HMI EA9-T10WCL: Version 6.77 and prior
• C-MORE EA9 HMI EA9-T12CL: Version 6.77 and prior
• C-MORE EA9 HMI EA9-T15CL: Version 6.77 and prior
• C-MORE EA9 HMI EA9-T15CL-R: Version 6.77 and prior
• C-MORE EA9 HMI EA9-RHMI: Version 6.77 and prior
• C-MORE EA9 HMI EA9-PGMSW: Version 6.77 and prior

CWE-319: CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION

The affected product is vulnerable to a cleartext transmission of sensitive information vulnerability, which may allow an attacker to capture packets to craft their own requests.

Softing edgeConnector: Version 3.60 and Softing edgeAggregator: Version 3.60 are affected. Update Softing edgeConnector and edgeAggregator to v3.70 or greater.

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Unitronics released an update to its Unistream Unilogic software, fixing multiple security vulnerabilities. Update ASAP to version 1.35.227 or latest version provided by Unitronics.

[Read more: New Critical Vulnerabilities in Unitronics UniStream Devices Uncovered.]

CWE-23: Relative Path Traversal

Unitronics released an update to its Unistream Unilogic software, fixing multiple security vulnerabilities. Versions affected are earlier than 1.35.227.

[Read more: New Critical Vulnerabilities in Unitronics UniStream Devices Uncovered.]

CWE-22: 'Path traversal'

Unitronics released an update to its Unistream Unilogic software, fixing multiple security vulnerabilities. Versions affected are earlier than 1.35.227.

Read More: New Critical Vulnerabilities in Unitronics UniStream Devices Uncovered

CWE-22: Path Traversal

Unitronics released an update to its Unistream Unilogic software, fixing multiple security vulnerabilities, including this remote code execution vulnerability.

[Read more: New Critical Vulnerabilities in Unitronics UniStream Devices Uncovered.]

CWE-78: 'OS Command Injection'

Unitronics released an update to its Unistream Unilogic software, fixing multiple security vulnerabilities. Versions affected are earlier than 1.35.227.

[Read more: New Critical Vulnerabilities in Unitronics UniStream Devices Uncovered.]

CWE-78: 'OS Command Injection'

Unitronics released an update to its Unistream Unilogic software, fixing multiple security vulnerabilities. Versions affected are earlier than 1.35.227.

[Read more: New Critical Vulnerabilities in Unitronics UniStream Devices Uncovered.]

CWE-259: Use of Hard-coded Password: Sensitive Information Embedded inside Devices Firmware

Unitronics released an update to its Unistream Unilogic software, fixing multiple security vulnerabilities. Versions affected are earlier than 1.35.227.

Read More: New Critical Vulnerabilities in Unitronics UniStream Devices Uncovered

CWE-287: Improper Authentication

Unitronics released an update to its Unistream Unilogic software, fixing multiple security vulnerabilities. Versions affected are earlier than 1.35.227. Update ASAP to version 1.35.227 or latest version provided by Unitronics.

Read more: New Critical Vulnerabilities in Unitronics UniStream Devices Uncovered.

CWE-77: IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND ('COMMAND INJECTION')

In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an authenticated user with network access could execute arbitrary commands from a remote computer.

CWE-285: IMPROPER AUTHORIZATION
In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could obtain access to sensitive information or cause a denial-of-service condition.

CWE-287:IMPROPER AUTHENTICATION
In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could bypass authentication and acquire admin capabilities.

CWE-77: IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND ('COMMAND INJECTION')

In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could execute arbitrary commands in root context from a remote computer.

CWE-20: Improper Input Validation

MachineSense FeverWarn Raspberry Pi-based devices lack input sanitization, which could allow an attacker on an adjacent network to send a message running commands or could overflow the stack.

CWE-284: Improper Access Control

MachineSense FeverWarn devices are configured as Wi-Fi hosts in a way that attackers within range could connect to the device's web services and compromise the device.