Vulnerability Details : CVE-2019-14929
An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Stored cleartext passwords could allow an unauthenticated attacker to obtain configured username and password combinations on the RTU due to the weak credentials management on the RTU. An unauthenticated user can obtain the exposed password credentials to gain access to the following services: DDNS service, Mobile Network Provider, and OpenVPN service.
Exploit prediction scoring system (EPSS) score for CVE-2019-14929
Probability of exploitation activity in the next 30 days: 0.84%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 80 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2019-14929
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2019-14929
-
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-14929
-
https://www.mogozobo.com/?p=3593
Mogozobo » (CVE-2019-14925 –> CVE-2019-14931) Mitsubishi Electric & INEA RTU Multiple VulnerabilitiesExploit;Third Party Advisory
-
https://www.mogozobo.com/
MogozoboThird Party Advisory
Products affected by CVE-2019-14929
- cpe:2.3:o:mitsubishielectric:smartrtu_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:inea:me-rtu_firmware:*:*:*:*:*:*:*:*