CVE-2020-12017

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

GE Grid Solutions Reason RT Clocks, RT430, RT431, and RT434, all firmware versions prior to 08A05. The device’s vulnerability in the web application could allow multiple unauthenticated attacks that could cause serious impact. The vulnerability may allow an unauthenticated attacker to execute arbitrary commands and send a request to a specific URL that could cause the device to become unresponsive. The unauthenticated attacker may change the password of the 'configuration' user account, allowing the attacker to modify the configuration of the device via the web interface using the new password. This vulnerability may also allow an unauthenticated attacker to bypass the authentication required to configure the device and reboot the system.

GE Grid Solutions Reason RT Clocks, RT430, RT431 y RT434, todas las versiones de firmware anteriores a 08A05. La vulnerabilidad del dispositivo en la aplicación web podría permitir múltiples ataques no autenticados que podrían causar un grave impacto. La vulnerabilidad puede permitir a un atacante no autenticado ejecutar comandos arbitrarios y enviar una petición hacia una URL específica que podría causar que el dispositivo deje de responder. El atacante no autenticado puede cambiar la contraseña de la cuenta de usuario "configuration", permitiendo al atacante modificar la configuración del dispositivo por medio de la interfaz web usando la nueva contraseña. Esta vulnerabilidad también puede permitir a un atacante no autenticado omitir la autenticación requerida para configurar el dispositivo y reiniciar el sistema.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-04-21 CVE Reserved
2020-06-02 CVE Published
2024-08-04 CVE Updated
2025-01-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-306: Missing Authentication for Critical Function

CAPEC

References (1)

URL	Tag	Source
https://www.us-cert.gov/ics/advisories/icsa-20-154-05	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Ge Search vendor "Ge"	Rt430 Firmware Search vendor "Ge" for product "Rt430 Firmware"	< 08a05 Search vendor "Ge" for product "Rt430 Firmware" and version " < 08a05"	-	Affected	in	Ge Search vendor "Ge"	Rt430 Search vendor "Ge" for product "Rt430"	-	-	Safe
Ge Search vendor "Ge"	Rt431 Firmware Search vendor "Ge" for product "Rt431 Firmware"	< 08a05 Search vendor "Ge" for product "Rt431 Firmware" and version " < 08a05"	-	Affected	in	Ge Search vendor "Ge"	Rt431 Search vendor "Ge" for product "Rt431"	-	-	Safe
Ge Search vendor "Ge"	Rt434 Firmware Search vendor "Ge" for product "Rt434 Firmware"	< 08a05 Search vendor "Ge" for product "Rt434 Firmware" and version " < 08a05"	-	Affected	in	Ge Search vendor "Ge"	Rt434 Search vendor "Ge" for product "Rt434"	-	-	Safe