CVE-2023-28654
published 2023-03-28CVE-2023-28654: Osprey Pump Controller version 1.01 has a hidden administrative account that has the hardcoded password that allows full access to the web management interface…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.77%
51.0th percentile
Osprey Pump Controller version 1.01 has a hidden administrative account that has the hardcoded password that allows full access to the web management interface configuration. The user is not visible in Usernames and Passwords menu list of the application and the password cannot be changed through any normal operation of the device.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| propump_and_controls_inc | osprey_pump_controller | — | — |
| propumpservice | osprey_pump_controller_firmware | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6v85-xmc7-gr5h: Osprey Pump Controller version 1
ghsa_unreviewed·2023-03-28
CVE-2023-28654 [CRITICAL] CWE-798 GHSA-6v85-xmc7-gr5h: Osprey Pump Controller version 1
Osprey Pump Controller version 1.01 has a hidden administrative account that has the hardcoded password that allows full access to the web management interface configuration. The user is not visible in Usernames and Passwords menu list of the application and the password cannot be changed through any normal operation of the device.
CISA ICS
ProPump and Controls Osprey Pump Controller (Update A)
cisa_ics·2024-02-08·CVSS 5.5
[MEDIUM] ProPump and Controls Osprey Pump Controller (Update A)
ICS Advisory
##
ProPump and Controls Osprey Pump Controller (Update A)
Last RevisedFebruary 08, 2024
Alert CodeICSA-23-082-06
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: ProPump and Controls, Inc.
- Equipment: Osprey Pump Controller
- Vulnerabilities: Insufficient Entropy, Use of GET Request Method with Sensitive Query Strings, Use of Hard-coded Password, OS Command Injection, Cross-site Scripting, Authentication Bypass using an Alternate Path or Channel, Cross-Site Request Forgery, Command Injection
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access, retrieve sensitive information, modi
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-03-28
Published