CVE-2020-14504 : The web interface of the 1734-AENTR communication module mishandles authenticati

The web interface of the 1734-AENTR communication module mishandles authentication for HTTP POST requests. A remote, unauthenticated attacker can send a crafted request that may allow for modification of the configuration settings.

Published 2022-02-24 19:15:09

Updated 2025-04-17 19:15:51

Source ICS-CERT

View at NVD, CVE.org

Products affected by CVE-2020-14504

Rockwellautomation » 1734-aentr Point I/o Dual Port Network Adaptor Series B Firmware
Versions from including (>=) 5.011 and up to, including, (<=) 5.017
cpe:2.3:o:rockwellautomation:1734-aentr_point_i\/o_dual_port_network_adaptor_series_b_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Rockwellautomation » 1734-aentr Point I/o Dual Port Network Adaptor Series B » Version: N/A
Rockwellautomation » 1734-aentr Point I/o Dual Port Network Adaptor Series B Firmware
Versions from including (>=) 4.001 and up to, including, (<=) 4.005
cpe:2.3:o:rockwellautomation:1734-aentr_point_i\/o_dual_port_network_adaptor_series_b_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Rockwellautomation » 1734-aentr Point I/o Dual Port Network Adaptor Series B » Version: N/A
Rockwellautomation » 1734-aentr Point I/o Dual Port Network Adaptor Series C Firmware » Version: 6.011
cpe:2.3:o:rockwellautomation:1734-aentr_point_i\/o_dual_port_network_adaptor_series_c_firmware:6.011:*:*:*:*:*:*:*
Matching versions
When used together with: Rockwellautomation » 1734-aentr Point I/o Dual Port Network Adaptor Series C » Version: N/A
Rockwellautomation » 1734-aentr Point I/o Dual Port Network Adaptor Series C Firmware » Version: 6.012
cpe:2.3:o:rockwellautomation:1734-aentr_point_i\/o_dual_port_network_adaptor_series_c_firmware:6.012:*:*:*:*:*:*:*
Matching versions
When used together with: Rockwellautomation » 1734-aentr Point I/o Dual Port Network Adaptor Series C » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2020-14504

EPSS FAQ

0.23%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 43 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-14504

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:P/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	3.9	1.4	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-04-17
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

CWE ids for CVE-2020-14504

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Assigned by: ics-cert@hq.dhs.gov (Primary)
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Primary)
- nvd@nist.gov (Secondary)

References for CVE-2020-14504

https://www.cisa.gov/uscert/ics/advisories/icsa-21-063-01

Rockwell Automation 1734-AENTR Series B and Series C | CISA
Mitigation;Third Party Advisory;US Government Resource

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2020-14504

Products affected by CVE-2020-14504

Exploit prediction scoring system (EPSS) score for CVE-2020-14504

CVSS scores for CVE-2020-14504

CWE ids for CVE-2020-14504

References for CVE-2020-14504