cbcvebase.
CVE-2019-13553
published 2019-10-25

CVE-2019-13553: Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 – B1.2.4. The authentication mechanism on affected systems is configured…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.82%
76.0th percentile
Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 – B1.2.4. The authentication mechanism on affected systems is configured using hard-coded credentials. These credentials could allow attackers to influence the primary operations of the affected systems, namely turning the cooling unit on and off and setting the temperature set point.

Affected

1 ranges
VendorProductVersion rangeFixed in
carelpcoweb_firmwarea1.5.3 – b1.2.4

Detection & IOCsextracted from sources · hover to see the quote

  • Target device: Rittal Chiller SK 3232-Series web interface built on Carel pCOWeb firmware. Detect authentication attempts or configuration changes (on/off commands, temperature set point modifications) to this device on the network.
  • CVE-2019-13549 (companion vulnerability): Critical functions such as turning the cooling unit on/off and setting the temperature set point can be triggered without any authentication — monitor for unauthenticated HTTP requests to the pCOWeb interface targeting these control functions.
  • ·Affected firmware version range is Carel pCOWeb A1.5.3 through B1.2.4; hard-coded credentials are baked into the authentication mechanism across this entire range.
  • ·No known public exploits specifically target these vulnerabilities at time of advisory publication (October 24, 2019), but exploitation requires only low skill level and is remotely exploitable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.