CVE-2020-25178 — Cleartext Transmission of Sensitive Info in Isagraf Runtime

CWE-319 — Cleartext Transmission of Sensitive Info3 documents3 sources

Severity

8.8HIGHNVD

CNA7.5

EPSS

0.2%

top 54.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rockwellautomation Isagraf Runtime Schneider-electric Easergy C5 Firmware Schneider-electric Micom C264 Firmware +10 more

Timeline

PublishedMar 18

Latest updateMar 19

Description

ISaGRAF Workbench communicates with Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x using TCP/IP. This communication protocol provides various file system operations, as well as the uploading of applications. Data is transferred over this protocol unencrypted, which could allow a remote unauthenticated attacker to upload, read, and delete files.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages13 packages

▶NVDrockwellautomation/isagraf_runtime5.0 — 6.0

▶NVDrockwellautomation/isagraf_free_runtime6.6.8

▶CVEListV5rockwell_automation/isagraf_runtime4.x, 5.x+1

▶NVDrockwellautomation/aadvance_controller1.40

▶NVDxylem/multismart_firmware< 3.2.0

🔴Vulnerability Details

GHSA

GHSA-9x5p-r7c6-hf92: ISaGRAF Workbench communicates with Rockwell Automation ISaGRAF Runtime Versions 4↗2022-03-19

▶

CVEList

Rockwell Automation ISaGRAF5 Runtime Cleartext Transmission of Sensitive Information↗2022-03-18

▶