CVE-2023-29155
published 2023-11-20CVE-2023-29155: Versions of INEA ME RTU firmware 3.36b and prior do not require authentication to the "root" account on the host system of the device. This could allow an…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.86%
54.0th percentile
Versions of INEA ME RTU firmware 3.36b and prior do not require authentication to the "root" account on the host system of the device. This could allow an attacker to obtain admin-level access to the host system.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| inea | me_rtu | <= 3.36b | — |
| inea | me_rtu_firmware | < 3.37 | 3.37 |
Detection & IOCsextracted from sources · hover to see the quote
- →Target device: INEA ME RTU firmware versions 3.36b and prior expose the 'root' account on the host system without requiring authentication, allowing unauthenticated remote admin-level access. ↗
- →CVE-2023-29155 is network-exploitable with no privileges required and no user interaction (AV:N/AC:L/PR:N/UI:N); any unauthenticated network connection attempt to the root account on INEA ME RTU should be treated as suspicious. ↗
- →A companion vulnerability CVE-2023-35762 (OS Command Injection, CVSS 9.9) affects the same INEA ME RTU firmware ≤3.36b and enables remote code execution; detections for both should be deployed together. ↗
- →Critical infrastructure sectors (Energy, Water and Wastewater, Transportation) running INEA ME RTU devices worldwide are the primary target population; prioritize detection coverage in OT/ICS network segments for these sectors. ↗
- ·No known public exploitation has been reported at time of advisory publication; threat landscape may change. ↗
- ·Firmware version 3.37 patches CVE-2023-29155; devices still running ≤3.36b remain fully exposed. Verify firmware version on all deployed INEA ME RTU units before assuming patched status. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cwp2-c9h3-j78m: Versions of INEA ME RTU firmware 3
ghsa_unreviewed·2023-11-20
CVE-2023-29155 [CRITICAL] CWE-287 GHSA-cwp2-c9h3-j78m: Versions of INEA ME RTU firmware 3
Versions of INEA ME RTU firmware 3.36b and prior do not require authentication to the "root" account on the host system of the device. This could allow an attacker to obtain admin-level access to the host system.
CISA ICS
INEA ME RTU
cisa_ics·2023-10-31·CVSS 9.8
[CRITICAL] INEA ME RTU
ICS Advisory
##
INEA ME RTU
Release DateOctober 31, 2023
Alert CodeICSA-23-304-02
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.9
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: INEA
- Equipment: ME RTU
- Vulnerabilities: OS Command Injection, Missing Authentication for Critical Function
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow remote code execution.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of Inea ME RTU are affected:
- ME RTU: versions 3.36b and prior
## 3.2 Vulnerability Overview
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION')CWE-78
Versions of INEA ME RTU firmware 3.36b and prior are vulnerable to operating
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-11-20
Published