CVE-2023-29155

Published Nov 20, 2023

Last updated a year ago

CVSS critical 9.8

Overview

Description: Versions of INEA ME RTU firmware 3.36b and prior do not require authentication to the "root" account on the host system of the device. This could allow an attacker to obtain admin-level access to the host system.
Source: ics-cert@hq.dhs.gov
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

nvd@nist.gov: CWE-287
ics-cert@hq.dhs.gov: CWE-287

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:h:inea:me_rtu:-:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "97E14440-C423-4D41-9834-E33564A4B70D"
          }
        ],
        "operator": "OR"
      },
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:inea:me_rtu_firmware:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0B126A5A-58B5-47F5-BE20-33ACBEDBF3B8",
            "versionEndExcluding": "3.37"
          }
        ],
        "operator": "OR"
      }
    ],
    "operator": "AND"
  }
]

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References