cbcvebase.
CVE-2016-2298
published 2016-05-14

CVE-2016-2298: Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited allows remote attackers to obtain sensitive cleartext information via unspecified vectors.

PriorityP265critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
24.10%
97.6th percentile
Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited allows remote attackers to obtain sensitive cleartext information via unspecified vectors.

Detection & IOCsextracted from sources · hover to see the quote

  • The Metasploit auxiliary module for this CVE targets HTTP-accessible Meteocontrol WEBlog appliances to extract administrator credentials without authentication — monitor for scanner/exploit activity against WEBlog management portals.
  • Sensitive information including administrator credentials is stored and transmitted in cleartext — inspect HTTP traffic to/from WEBlog devices for credential exposure.
  • All application functionality and configuration pages, including admin-only pages, are accessible without any authentication — alert on unauthenticated HTTP requests to administrative configuration endpoints on WEBlog devices.
  • A hidden command shell feature is accessible without authentication — monitor for unauthenticated HTTP requests to shell/command endpoints on WEBlog devices.
  • ·Affected versions are all releases prior to the May 2016 update across all WEBlog product lines (Basic 100, Light, Pro, Pro Unlimited).
  • ·No CSRF token is generated per page or per function, enabling cross-site request forgery attacks that can silently modify plant/device configuration.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.