1. EXECUTIVE SUMMARY
- CVSS v4 7.1
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: HMS Networks
- Equipment: EWON FLEXY 202
- Vulnerability: Insufficiently Protected Credentials
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to sniff and decode credentials that are transmitted using weak encoding techniques.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of EWON FLEXY 202, an industrial modular gateway, are affected:
- EWON FLEXY 202: Firmware Version 14.2s0
3.2 Vulnerability Overview
3.2.1 CWE-522: Insufficiently Protected Credentials
The EWON FLEXY 202 transmits credentials using a weak encoding method base64. An attacker who is present in the network can sniff the traffic and decode the credentials.
CVE-2024-7755 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).
CVE-2024-7755 has been assigned to this vulnerability. A CVSS v4 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Water and Wastewater Systems, Energy, and Food and Agriculture
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Sweden
Read the original article: