← Back

CVE-2021-20826

nvd nist
Published: Dec 24, 2021Modified: Nov 21, 2024

JSON object

Loading...
7.6
Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Exploitability: 2.8 / Impact: 4.7
Source: NVD

Description

Unprotected transport of credentials vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from the communication between the PLC and the software. As a result, the complete access privileges to the PLC Web server may be obtained, and manipulation of the PLC output and/or suspension of the PLC may be conducted.

Affected (5)

Idec
5 products
Microsmart Fc6a Firmware
Microsmart Plus Fc6a Firmware
Data File Manager
Windedit
Windldr
Configuration A
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Microsmart Fc6a Firmware
Up to 2.32
Running on/withPlatform Versions
Idec
Microsmart Fc6a
All versions
Configuration B
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Microsmart Plus Fc6a Firmware
Up to 1.91
Running on/withPlatform Versions
Idec
Microsmart Plus Fc6a
All versions
Configuration C
3 vulnerable
Vulnerable SoftwareAffected Versions
Data File Manager
Up to 2.12.1
Windedit
Up to 1.3.1
Windldr
Up to 8.19.1

Related CWEs

CWE-522
Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

References (4)

Source: vultures@jpcert.or.jp
Third Party Advisory
Source: vultures@jpcert.or.jp
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.