Security
Headlines
HeadlinesLatestCVEs

Headline

ECOA Building Automation System Remote Privilege Escalation

The BAS controller is vulnerable to weak access control mechanism allowing any user to escalate privileges by disclosing credentials of administrative accounts in plain-text.

Zero Science Lab

Related news

CVE-2021-41297: TWCERT/CC台灣電腦網路危機處理暨協調中心-ECOA BAS controller - Insufficiently Protected Credentials-1

ECOA BAS controller is vulnerable to weak access control mechanism allowing authenticated user to remotely escalate privileges by disclosing credentials of administrative accounts in plain-text.

CVE-2021-41296: TWCERT/CC台灣電腦網路危機處理暨協調中心-ECOA BAS controller - Weak Password Requirements

ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.

CVE-2021-41300: TWCERT/CC台灣電腦網路危機處理暨協調中心-ECOA BAS controller - Insufficiently Protected Credentials-2

ECOA BAS controller’s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page and obtain privilege with full functionality.

CVE-2021-20034: Security Advisory

An improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings.