cbcvebase.
CVE-2018-18995
published 2019-01-03

CVE-2018-18995: Pluto Safety PLC Gateway Ethernet devices ABB GATE-E1 and GATE-E2 all versions do not allow authentication to be configured on administrative telnet or web…

PriorityP260critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
2.65%
83.7th percentile
Pluto Safety PLC Gateway Ethernet devices ABB GATE-E1 and GATE-E2 all versions do not allow authentication to be configured on administrative telnet or web interfaces, which could enable various effects vectors, including conducting device resets, reading or modifying registers, and changing configuration settings such as IP addresses.

Detection & IOCsextracted from sources · hover to see the quote

  • Target administrative telnet interface on ABB GATE-E1/GATE-E2 devices — no authentication is required, allowing unauthenticated remote access
  • Target administrative web interface on ABB GATE-E1/GATE-E2 devices — no authentication is required; also vulnerable to stored XSS via device property fields (CVE-2018-18997)
  • Exploitation is remotely possible with low skill level; monitor for unauthenticated telnet and HTTP connections to ABB GATE-E1/GATE-E2 devices from unexpected sources
  • ·No firmware patch will be released; both GATE-E1 (EOL 2013) and GATE-E2 (EOL OCT 2018) are end-of-life. Mitigation relies entirely on network segmentation and defense-in-depth, not a software fix.
  • ·No known public exploits exist for this vulnerability at time of advisory publication.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.