CVE-2019-13549
published 2019-10-25CVE-2019-13549: Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 – B1.2.4. The authentication mechanism on affected systems does not…
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
1.03%
59.6th percentile
Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 – B1.2.4. The authentication mechanism on affected systems does not provide a sufficient level of protection against unauthorized configuration changes. Primary operations, namely turning the cooling unit on and off and setting the temperature set point, can be modified without authentication.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| carel | pcoweb_firmware | a1.5.3 – b1.2.4 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Rittal Chiller SK 3232-Series
cisa_ics·2019-10-24·CVSS 7.5
[HIGH] Rittal Chiller SK 3232-Series
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Rittal Chiller SK 3232-Series
Last RevisedOctober 24, 2019
Alert CodeICSA-19-297-01
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.1
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: Rittal
- Equipment: Rittal Chiller SK 3232-Series
- Vulnerabilities: Missing Authentication for Critical Function, Use of Hard-coded Credentials
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could disrupt the primary operations of the affected component, shut down cooling to other equipment, and allow changes to the temperature set point.
## 3. TECHNICAL DET
GHSA
GHSA-73fc-m42q-9fv3: Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1
ghsa_unreviewed·2022-05-24
CVE-2019-13549 [MEDIUM] GHSA-73fc-m42q-9fv3: Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1
Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 ? B1.2.4. The authentication mechanism on affected systems does not provide a sufficient level of protection against unauthorized configuration changes. Primary operations, namely turning the cooling unit on and off and setting the temperature set point, can be modified without authentication.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2019-10-25
Published