CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-3917
https://notcve.org/view.php?id=CVE-2022-3917
14 Dec 2022 — Improper access control of bootloader function was discovered in Motorola Mobility Motorola e20 prior to version RONS31.267-38-8 allows attacker with local access to read partition or RAM data. Se descubrió un control de acceso inadecuado a la función del cargador de arranque en Motorola Mobility. El Motorola e20 anterior a la versión RONS31.267-38-8 permite a un atacante con acceso local leer datos de partición o RAM. Improper access control of bootloader function was discovered in Motorola Mobility Motoro... • https://en-us.support.motorola.com/app/answers/detail/a_id/175333 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-30276
https://notcve.org/view.php?id=CVE-2022-30276
26 Jul 2022 — The Motorola MOSCAD and ACE line of RTUs through 2022-05-02 omit an authentication requirement. They feature IP Gateway modules which allow for interfacing between Motorola Data Link Communication (MDLC) networks (potentially over a variety of serial, RF and/or Ethernet links) and TCP/IP networks. Communication with RTUs behind the gateway is done by means of the proprietary IPGW protocol (5001/TCP). This protocol does not have any authentication features, allowing any attacker capable of communicating with... • https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-04 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30269
https://notcve.org/view.php?id=CVE-2022-30269
26 Jul 2022 — Motorola ACE1000 RTUs through 2022-05-02 mishandle application integrity. They allow for custom application installation via either STS software, the C toolkit, or the ACE1000 Easy Configurator. In the case of the Easy Configurator, application images (as PLX/DAT/APP/CRC files) are uploaded via the Web UI. In case of the C toolkit, they are transferred and installed using SFTP/SSH. In each case, application images were found to have no authentication (in the form of firmware signing) and only relied on inse... • https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-06 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30270
https://notcve.org/view.php?id=CVE-2022-30270
26 Jul 2022 — The Motorola ACE1000 RTU through 2022-05-02 has default credentials. It exposes an SSH interface on port 22/TCP. This interface is used for remote maintenance and for SFTP file-transfer operations that are part of engineering software functionality. Access to this interface is controlled by 5 preconfigured accounts (root, abuilder, acelogin, cappl, ace), all of which come with default credentials. Although the ACE1000 documentation mentions the root, abuilder and acelogin accounts and instructs users to cha... • https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-06 • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30271
https://notcve.org/view.php?id=CVE-2022-30271
26 Jul 2022 — The Motorola ACE1000 RTU through 2022-05-02 ships with a hardcoded SSH private key and initialization scripts (such as /etc/init.d/sshd_service) only generate a new key if no private-key file exists. Thus, this hardcoded key is likely to be used by default. Motorola ACE1000 RTU versiones hasta 02-05-2022, viene con una clave privada SSH embebida y los scripts de inicialización (como /etc/init.d/sshd_service) sólo generan una nueva clave si no se presenta un archivo de clave privada. Por lo tanto, es probabl... • https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-06 • CWE-259: Use of Hard-coded Password CWE-798: Use of Hard-coded Credentials •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30272
https://notcve.org/view.php?id=CVE-2022-30272
26 Jul 2022 — The Motorola ACE1000 RTU through 2022-05-02 mishandles firmware integrity. It utilizes either the STS software suite or ACE1000 Easy Configurator for performing firmware updates. In case of the Easy Configurator, firmware updates are performed through access to the Web UI where file system, kernel, package, bundle, or application images can be installed. Firmware updates for the Front End Processor (FEP) module are performed via access to the SSH interface (22/TCP), where a .hex file image is transferred an... • https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-06 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30274
https://notcve.org/view.php?id=CVE-2022-30274
26 Jul 2022 — The Motorola ACE1000 RTU through 2022-05-02 uses ECB encryption unsafely. It can communicate with an XRT LAN-to-radio gateway by means of an embedded client. Credentials for accessing this gateway are stored after being encrypted with the Tiny Encryption Algorithm (TEA) in ECB mode using a hardcoded key. Similarly, the ACE1000 RTU can route MDLC traffic over Extended Command and Management Protocol (XCMP) and Network Layer (XNL) networks via the MDLC driver. Authentication to the XNL port is protected by TE... • https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-06 • CWE-798: Use of Hard-coded Credentials •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-3898
https://notcve.org/view.php?id=CVE-2021-3898
22 Apr 2022 — Versions of Motorola Ready For and Motorola Device Help Android applications prior to 2021-04-08 do not properly verify the server certificate which could lead to the communication channel being accessible by an attacker. Las versiones de las aplicaciones Android de Motorola Ready For y Motorola Device Help anteriores al 08-04-2021, no verifican apropiadamente el certificado del servidor, lo que podría conllevar a que el canal de comunicación fuera accesible para un atacante • https://support.lenovo.com/us/en/product_security/LEN-58311 • CWE-295: Improper Certificate Validation •
CVSS: 4.8EPSS: 0%CPEs: 20EXPL: 0CVE-2021-38701
https://notcve.org/view.php?id=CVE-2021-38701
15 Dec 2021 — Certain Motorola Solutions Avigilon devices allow XSS in the administrative UI. This affects T200/201 before 4.10.0.68; T290 before 4.4.0.80; T008 before 2.2.0.86; T205 before 4.12.0.62; T204 before 3.28.0.166; and T100, T101, T102, and T103 before 2.6.0.180. Determinados dispositivos Avigilon de Motorola Solutions permiten un ataque de tipo XSS en la interfaz de usuario administrativa. Esto afecta a dispositivos T200/201 versiones anteriores a 4.10.0.68; T290 versiones anteriores a 4.4.0.80; T008 versiones... • https://support.avigilon.com/s/feed/0D54y00006l9eCMCAY • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2021-3459
https://notcve.org/view.php?id=CVE-2021-3459
17 Aug 2021 — A privilege escalation vulnerability was reported in the MM1000 device configuration web server, which could allow privileged shell access and/or arbitrary privileged commands to be executed on the adapter. Se ha reportado una vulnerabilidad de escalada de privilegios en el servidor web de configuración del dispositivo MM1000, que podría permitir el acceso privilegiado al shell y/o una ejecución de comandos privilegiados arbitrario en el adaptador. • https://motorolamentor.zendesk.com/hc/en-us/articles/1260804047750 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •