CVE-2021-20826 Information

Jun 07, 2022 cve

Description

Unprotected transport of credentials vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier FC6A Series MICROSmart Plus CPU module v1.91 and earlier WindLDR v8.19.1 and earlier WindEDIT Lite v1.3.1 and earlier and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from the communication between the PLC and the software. As a result the complete access privileges to the PLC Web server may be obtained and manipulation of the PLC output and/or suspension of the PLC may be conducted.

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Reference

https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf https://jvn.jp/en/vu/JVNVU92279973/index.html

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

LOW

Base Score

LOW

Base Severity

7.6

Share on: