Vulnerability Details : CVE-2020-12504
Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT (all versions) and ICRL-M-8RJ45/4SFP-G-DIN, ICRL-M-16RJ45/4CP-G-DIN FW 1.2.3 and below has an active TFTP-Service.
Products affected by CVE-2020-12504
- cpe:2.3:o:korenix:jetwave_2212s_firmware:1.5:*:*:*:*:*:*:*
- cpe:2.3:o:korenix:jetwave_2212g_firmware:1.4:*:*:*:*:*:*:*
- cpe:2.3:o:korenix:jetwave_2311_firmware:1.2:*:*:*:*:*:*:*
- cpe:2.3:o:korenix:jetwave_3220_firmware:1.2:*:*:*:*:*:*:*
- cpe:2.3:o:korenix:jetwave_3420_firmware:1.1.3t:*:*:*:*:*:*:*
- cpe:2.3:o:korenix:jetwave_2212x_firmware:1.5:*:*:*:*:*:*:*
- cpe:2.3:o:korenix:jetwave_5428g-20sfp_firmware:1.0:*:*:*:*:*:*:*
- cpe:2.3:o:korenix:jetwave_5810g_firmware:1.1:*:*:*:*:*:*:*
- cpe:2.3:o:korenix:jetwave_5310_firmware:1.5:*:*:*:*:*:*:*
- cpe:2.3:o:korenix:jetwave_5010_firmware:3.1a:*:*:*:*:*:*:*
- cpe:2.3:o:korenix:jetwave_4706f_firmware:2.3b:*:*:*:*:*:*:*
- cpe:2.3:o:korenix:jetwave_4706_firmware:2.3b:*:*:*:*:*:*:*
- cpe:2.3:o:korenix:jetwave_4510_firmware:3.0b:*:*:*:*:*:*:*
- cpe:2.3:o:westermo:pmi-110-f2g_firmware:1.5:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es7510-xt_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es8509-xt_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es8510-xt_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es9528-xtv2_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es7506_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es7510_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es7528_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es8508_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es8508f_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es8510_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es8510-xte_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es9528_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:es9528-xt_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:icrl-m-8rj45\/4sfp-g-din_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pepperl-fuchs:icrl-m-16rj45\/4cp-g-din_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-12504
19.49%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 96 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-12504
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
CERT VDE | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2020-12504
-
The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.Assigned by: info@cert.vde.com (Primary)
References for CVE-2020-12504
-
http://packetstormsecurity.com/files/165875/Korenix-Technology-JetWave-CSRF-Command-Injection-Missing-Authentication.html
Korenix Technology JetWave CSRF / Command Injection / Missing Authentication ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
http://seclists.org/fulldisclosure/2021/Jun/0
Full Disclosure: SEC Consult SA-20210601-0 :: Multiple critical vulnerabilities in Korenix Technology JetNet SeriesExploit;Mailing List;Third Party Advisory
-
https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-korenix-technology-westermo-pepperl-fuchs/
Multiple Critical Vulnerabilities in Korenix Technology, Westermo and Pepperl+Fuchs productsExploit;Third Party Advisory
-
http://packetstormsecurity.com/files/162903/Korenix-CSRF-Backdoor-Accounts-Command-Injection-Missing-Authentication.html
Korenix CSRF / Backdoor Accounts / Command Injection / Missing Authentication ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://cert.vde.com/de-de/advisories/vde-2020-040
PEPPERL+FUCHS: Multiple Products prone to multiple vulnerabilities in Comtrol RocketLinux (Update A) — German (Germany)Third Party Advisory
-
https://cert.vde.com/en-us/advisories/vde-2020-053
PEPPERL+FUCHS: Comtrol RocketLinx ICRL-M - Multiple Vulnerabilities — English (USA)Third Party Advisory
Jump to