CVE-2021-20827 Information

Jun 07, 2022 cve

Description

Plaintext storage of a password vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier FC6A Series MICROSmart Plus CPU module v1.91 and earlier WindLDR v8.19.1 and earlier WindEDIT Lite v1.3.1 and earlier and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from file servers backup repositories or ZLD files saved in SD cards. As a result the attacker may access the PLC Web server and hijack the PLC and manipulation of the PLC output and/or suspension of the PLC may be conducted.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf https://jvn.jp/en/vu/JVNVU92279973/index.html

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

7.5

Share on: