CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-29155 – Improper Authentication INEA ME RTU
https://notcve.org/view.php?id=CVE-2023-29155
Versions of INEA ME RTU firmware 3.36b and prior do not require authentication to the "root" account on the host system of the device. This could allow an attacker to obtain admin-level access to the host system. Las versiones del firmware INEA ME RTU 3.36b y anteriores no requieren autenticación en la cuenta "raíz" en el sistema host del dispositivo. Esto podría permitir a un atacante obtener acceso de nivel de administrador al sistema host. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-304-02 • CWE-287: Improper Authentication •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2023-35762 – OS Command Injection in INEA ME RTU
https://notcve.org/view.php?id=CVE-2023-35762
Versions of INEA ME RTU firmware 3.36b and prior are vulnerable to operating system (OS) command injection, which could allow remote code execution. Las versiones del firmware INEA ME RTU 3.36b y anteriores son vulnerables a la inyección de comandos del sistema operativo (SO), lo que podría permitir la ejecución remota de código. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-304-02 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-2131 – CVE-2023-2131
https://notcve.org/view.php?id=CVE-2023-2131
Versions of INEA ME RTU firmware prior to 3.36 are vulnerable to OS command injection, which could allow an attacker to remotely execute arbitrary code. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-110-01 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 1CVE-2019-14925
https://notcve.org/view.php?id=CVE-2019-14925
An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. A world-readable /usr/smartrtu/init/settings.xml configuration file on the file system allows an attacker to read sensitive configuration settings such as usernames, passwords, and other sensitive RTU data due to insecure permission assignment. Se descubrió un problema en los dispositivos Mitsubishi Electric ME-RTU versiones hasta la versión 2.02 y los dispositivos INEA ME-RTU versiones hasta la versión 3.0. Un archivo de configuración /usr/smartrtu/init/settings.xml de tipo world-readable en el sistema de archivos le permite al atacante leer ajustes de configuración confidencial tales como nombres de usuario, contraseñas y otros datos confidenciales de la RTU debido a una asignación de permisos no seguros. An issue was discovered on Mitsubishi Electric Europe B.V. • https://www.mogozobo.com https://www.mogozobo.com/?p=3593 • CWE-276: Incorrect Default Permissions •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 1CVE-2019-14929
https://notcve.org/view.php?id=CVE-2019-14929
An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Stored cleartext passwords could allow an unauthenticated attacker to obtain configured username and password combinations on the RTU due to the weak credentials management on the RTU. An unauthenticated user can obtain the exposed password credentials to gain access to the following services: DDNS service, Mobile Network Provider, and OpenVPN service. Se descubrió un problema en los dispositivos Mitsubishi Electric ME-RTU versiones hasta 2.02 y los dispositivos INEA ME-RTU versiones hasta 3.0. Las contraseñas de texto sin cifrar almacenadas podrían permitir a un atacante no autenticado obtener combinaciones de nombre de usuario y contraseña configuradas en la RTU debido a una gestión de credenciales débiles en la RTU. • https://www.mogozobo.com https://www.mogozobo.com/?p=3593 • CWE-522: Insufficiently Protected Credentials •