CVE-2021-3252

KACO New Energy XP100U Up to XP-JAVA 2.0 is affected by incorrect access control. Credentials will always be returned in plain-text from the local server during the KACO XP100U authentication process, regardless of whatever passwords have been provided, which leads to an information disclosure vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 61%
Common Weakness Enumeration
References
https://tiger-team-1337.blogspot.com/2021/01/kaco-xp100u-hmi-credential-leak.html
https://twitter.com/Kevin2600/status/1351189347501023238
https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-15-224-01
https://tiger-team-1337.blogspot.com/2021/01/kaco-xp100u-hmi-credential-leak.html
https://twitter.com/Kevin2600/status/1351189347501023238
https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-15-224-01