Vulnerability Details : CVE-2020-12500
Potential exploit
Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT (all versions) allows unauthenticated device administration.
Products affected by CVE-2020-12500
- cpe:2.3:o:pepperl-fuchs:es7510-xt_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es8509-xt_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es8510-xt_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es9528-xtv2_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es7506_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es7510_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es7528_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es8508_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es8508f_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es8510_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es8510-xte_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es9528_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es9528-xt_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-12500
6.46%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-12500
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
CERT VDE | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2020-12500
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by:
- info@cert.vde.com (Primary)
- nvd@nist.gov (Secondary)
References for CVE-2020-12500
-
http://packetstormsecurity.com/files/165875/Korenix-Technology-JetWave-CSRF-Command-Injection-Missing-Authentication.html
Korenix Technology JetWave CSRF / Command Injection / Missing Authentication ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
http://seclists.org/fulldisclosure/2021/Jun/0
Full Disclosure: SEC Consult SA-20210601-0 :: Multiple critical vulnerabilities in Korenix Technology JetNet SeriesExploit;Mailing List;Third Party Advisory
-
https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-korenix-technology-westermo-pepperl-fuchs/
Multiple Critical Vulnerabilities in Korenix Technology, Westermo and Pepperl+Fuchs productsThird Party Advisory
-
http://packetstormsecurity.com/files/162903/Korenix-CSRF-Backdoor-Accounts-Command-Injection-Missing-Authentication.html
Korenix CSRF / Backdoor Accounts / Command Injection / Missing Authentication ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://cert.vde.com/de-de/advisories/vde-2020-040
PEPPERL+FUCHS: Multiple Products prone to multiple vulnerabilities in Comtrol RocketLinux (Update A) — German (Germany)Third Party Advisory
Jump to