CVE-2019-11536
published 2019-05-22CVE-2019-11536: Kalki Kalkitech SYNC3000 Substation DCU GPC v2.22.6, 2.23.0, 2.24.0, 3.0.0, 3.1.0, 3.1.16, 3.2.3, 3.2.6, 3.5.0, 3.6.0, and 3.6.1, when WebHMI is not installed…
PriorityP260critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
1.90%
77.1th percentile
Kalki Kalkitech SYNC3000 Substation DCU GPC v2.22.6, 2.23.0, 2.24.0, 3.0.0, 3.1.0, 3.1.16, 3.2.3, 3.2.6, 3.5.0, 3.6.0, and 3.6.1, when WebHMI is not installed, allows an attacker to inject client-side commands or scripts to be executed on the device with privileged access, aka CYB/2019/19561. The attack requires network connectivity to the device and exploits the webserver interface, typically through a browser.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kalkitech | sync3000_firmware | — | — |
| kalkitech | sync3000_firmware | — | — |
| kalkitech | sync3000_firmware | — | — |
| kalkitech | sync3000_firmware | — | — |
| kalkitech | sync3000_firmware | — | — |
| kalkitech | sync3000_firmware | — | — |
| kalkitech | sync3000_firmware | — | — |
| kalkitech | sync3000_firmware | — | — |
| kalkitech | sync3000_firmware | — | — |
| kalkitech | sync3000_firmware | — | — |
| kalkitech | sync3000_firmware | — | — |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2019-05-22
Published