CVE-2018-18998
LAquis SCADA Web Server Hardcoded Credentials Authentication Bypass Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
LCDS Laquis SCADA prior to version 4.1.0.4150 uses hard coded credentials, which may allow an attacker unauthorized access to the system with high privileges.
LCDS Laquis SCADA, en versiones anteriores a la 4.1.0.4150, utiliza credenciales embebidas, lo que podrĂa permitir a un atacante obtener acceso no autorizado al sistema con privilegios altos.
This vulnerability allows remote attackers to bypass authentication on vulnerable installations of LAquis SCADA Software. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of login requests to the product's webserver. The product contains a hard-coded password for a number of undocumented accounts. An attacker can leverage this vulnerability to bypass authentication on the system.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-11-06 CVE Reserved
- 2019-01-19 CVE Published
- 2024-06-07 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-798: Use of Hard-coded Credentials
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/106634 | Third Party Advisory | |
| https://ics-cert.us-cert.gov/advisories/ICSA-19-015-01 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Lcds Search vendor "Lcds" | Laquis Scada Search vendor "Lcds" for product "Laquis Scada" | < 4.1.0.4150 Search vendor "Lcds" for product "Laquis Scada" and version " < 4.1.0.4150" | - |
Affected
| ||||||