Vulnerability Details CVE-2021-3252
KACO New Energy XP100U Up to XP-JAVA 2.0 is affected by incorrect access control. Credentials will always be returned in plain-text from the local server during the KACO XP100U authentication process, regardless of whatever passwords have been provided, which leads to an information disclosure vulnerability.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 61.0%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://tiger-team-1337.blogspot.com/2021/01/kaco-xp100u-hmi-credential-leak.html
- https://twitter.com/Kevin2600/status/1351189347501023238
- https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-15-224-01
- https://tiger-team-1337.blogspot.com/2021/01/kaco-xp100u-hmi-credential-leak.html
- https://twitter.com/Kevin2600/status/1351189347501023238
- https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-15-224-01
Products affected by CVE-2021-3252
-
cpe:2.3:h:kaco-newenergy:xp100u:-
-
cpe:2.3:o:kaco-newenergy:xp100u_firmware:xp-java_2.0