CVE-2023-37857

CWE-798 — Hard-coded Credentials3 documents3 sources

Severity

7.2HIGH

EPSS

0.1%

top 79.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phoenix Contact WP 6070-wvps Phoenix Contact WP 6101-wxps Phoenix Contact WP 6121-wxps +9 more

Timeline

PublishedAug 9

Description

In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 an authenticated, remote attacker with admin privileges is able to read hardcoded cryptographic keys allowing the attacker to create valid session cookies. These session-cookies created by the attacker are not sufficient to obtain a valid session on the device.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:NExploitability: 1.2 | Impact: 2.5

Affected Packages12 packages

▶CVEListV5phoenix_contact/wp_6070-wvps< 4.0.10

▶CVEListV5phoenix_contact/wp_6101-wxps< 4.0.10

▶CVEListV5phoenix_contact/wp_6121-wxps< 4.0.10

▶CVEListV5phoenix_contact/wp_6156-whps< 4.0.10

▶CVEListV5phoenix_contact/wp_6185-whps< 4.0.10

🔴Vulnerability Details

GHSA

GHSA-rq33-29r2-6jr3: In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4↗2023-08-09

▶

CVEList

PHOENIX CONTACT: Use of Hard-coded Credentials in WP 6xxx Web panels↗2023-08-09

▶