Vulnerability Details : CVE-2023-28654
Osprey Pump Controller version 1.01 has a hidden administrative account that has the hardcoded password that allows full access to the web management interface configuration. The user is not visible in Usernames and Passwords menu list of the application and the password cannot be changed through any normal operation of the device.
Products affected by CVE-2023-28654
- cpe:2.3:o:propumpservice:osprey_pump_controller_firmware:1.01:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-28654
0.19%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 57 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-28654
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
ICS-CERT | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2023-28654
-
The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.Assigned by: ics-cert@hq.dhs.gov (Secondary)
-
The product contains hard-coded credentials, such as a password or cryptographic key.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-28654
-
https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-06
ProPump and Controls Osprey Pump Controller | CISAThird Party Advisory;US Government Resource
Jump to