CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 1CVE-2019-14926
https://notcve.org/view.php?id=CVE-2019-14926
An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Hard-coded SSH keys allow an attacker to gain unauthorised access or disclose encrypted data on the RTU due to the keys not being regenerated on initial installation or with firmware updates. In other words, these devices use private-key values in /etc/ssh/ssh_host_rsa_key, /etc/ssh/ssh_host_ecdsa_key, and /etc/ssh/ssh_host_dsa_key files that are publicly available from the vendor web sites. Se detectó un problema en los dispositivos Mitsubishi Electric ME-RTU versiones hasta la versión 2.02 y los dispositivos INEA ME-RTU versiones hasta la versión 3.0. Las claves SSH embebidas permiten a un atacante conseguir acceso no autorizado o divulgar datos cifrados en la RTU debido a que las claves no son regeneradas en la instalación inicial o con las actualizaciones de firmware. • https://www.mogozobo.com https://www.mogozobo.com/?p=3593 • CWE-798: Use of Hard-coded Credentials •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 1CVE-2019-14928
https://notcve.org/view.php?id=CVE-2019-14928
An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. A number of stored cross-site script (XSS) vulnerabilities allow an attacker to inject malicious code directly into the application. An example input variable vulnerable to stored XSS is SerialInitialModemString in the index.php page. Se descubrió un problema en los dispositivos Mitsubishi Electric ME-RTU versiones hasta la verisón 2.02 y los dispositivos INEA ME-RTU versiones hasta la versión 3.0. Una serie de vulnerabilidades de tipo cross-site script (XSS) almacenado permiten a un atacante inyectar código malicioso directamente en la aplicación. • https://www.mogozobo.com https://www.mogozobo.com/?p=3593 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 3%CPEs: 4EXPL: 2CVE-2019-14927 – Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated Configuration Download
https://notcve.org/view.php?id=CVE-2019-14927
An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote configuration download vulnerability allows an attacker to download the smartRTU's configuration file (which contains data such as usernames, passwords, and other sensitive RTU data). Se descubrió un problema en los dispositivos Mitsubishi Electric ME-RTU versiones hasta la versión 2.02 y los dispositivos INEA ME-RTU versiones hasta la versión 3.0. Una vulnerabilidad de descarga de configuración remota no autenticada permite a un atacante descargar el archivo de configuración de smartRTU (que contiene datos como nombres de usuario, contraseñas y otros datos confidenciales de RTU). An issue was discovered on Mitsubishi Electric Europe B.V. • https://www.exploit-db.com/exploits/47234 https://www.mogozobo.com https://www.mogozobo.com/?p=3593 • CWE-306: Missing Authentication for Critical Function CWE-425: Direct Request ('Forced Browsing') •
CVSS: 10.0EPSS: 1%CPEs: 4EXPL: 2CVE-2019-14931 – Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated OS Command Injection Bind Shell
https://notcve.org/view.php?id=CVE-2019-14931
An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote OS Command Injection vulnerability allows an attacker to execute arbitrary commands on the RTU due to the passing of unsafe user supplied data to the RTU's system shell. Functionality in mobile.php provides users with the ability to ping sites or IP addresses via Mobile Connection Test. When the Mobile Connection Test is submitted, action.php is called to execute the test. An attacker can use a shell command separator (;) in the host variable to execute operating system commands upon submitting the test data. • https://www.exploit-db.com/exploits/47235 https://www.mogozobo.com https://www.mogozobo.com/?p=3593 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •