1. EXECUTIVE SUMMARY
- CVSS v4 8.7
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Unitronics
- Equipment: Vision series PLCs
- Vulnerability: Storing Passwords in a Recoverable Format
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to log in to the Remote HMI feature, where the PLC may be factory reset, stopped, and restarted.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Unitronics Vision 230 PLCs are affected:
- Vision 230: All versions
- Vision 280: All versions
- Vision 290: All versions
- Vision 530: All versions
- Vision 120: All versions
3.2 Vulnerability Overview
3.2.1 Storing Passwords in a Recoverable Format CWE-257
Unitronics Vision Standard PLCs allow a remote, unauthenticated individual to retrieve the ‘Information Mode’ password in plaintext.
CVE-2024-1480 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-1480. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Water and Wastewater
- COUNTRIES/AREAS DEPLOYED: Worldwid
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from All CISA AdvisoriesRead the original article: