// For flags

CVE-2019-14929

 

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Stored cleartext passwords could allow an unauthenticated attacker to obtain configured username and password combinations on the RTU due to the weak credentials management on the RTU. An unauthenticated user can obtain the exposed password credentials to gain access to the following services: DDNS service, Mobile Network Provider, and OpenVPN service.

Se descubrió un problema en los dispositivos Mitsubishi Electric ME-RTU versiones hasta 2.02 y los dispositivos INEA ME-RTU versiones hasta 3.0. Las contraseñas de texto sin cifrar almacenadas podrían permitir a un atacante no autenticado obtener combinaciones de nombre de usuario y contraseña configuradas en la RTU debido a una gestión de credenciales débiles en la RTU. Un usuario no autenticado puede obtener las credenciales de contraseña expuestas para conseguir acceso a los siguientes servicios: servicio DDNS, Mobile Network Provider y servicio OpenVPN.

An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Stored cleartext passwords could allow an unauthenticated attacker to obtain configured username and password combinations on the RTU due to the weak credentials management on the RTU. An unauthenticated user can obtain the exposed password credentials to gain access to the following services: DDNS service, Mobile Network Provider, and OpenVPN service.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-08-10 CVE Reserved
  • 2019-10-28 CVE Published
  • 2024-06-12 EPSS Updated
  • 2024-09-10 CVE Updated
  • 2024-09-10 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-522: Insufficiently Protected Credentials
CAPEC
References (2)
URL Tag Source
https://www.mogozobo.com Third Party Advisory
URL Date SRC
https://www.mogozobo.com/?p=3593 2024-09-10
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Mitsubishielectric
Search vendor "Mitsubishielectric"
 Smartrtu Firmware
Search vendor "Mitsubishielectric" for product "Smartrtu Firmware"
 <= 2.02
Search vendor "Mitsubishielectric" for product "Smartrtu Firmware" and version " <= 2.02"
-
Affected
in Mitsubishielectric
Search vendor "Mitsubishielectric"
 Smartrtu
Search vendor "Mitsubishielectric" for product "Smartrtu"
--
Safe
Inea
Search vendor "Inea"
 Me-rtu Firmware
Search vendor "Inea" for product "Me-rtu Firmware"
 <= 3.0
Search vendor "Inea" for product "Me-rtu Firmware" and version " <= 3.0"
-
Affected
in Inea
Search vendor "Inea"
 Me-rtu
Search vendor "Inea" for product "Me-rtu"
--
Safe