CVE-2024-5947
published 2024-06-13CVE-2024-5947: Deep Sea Electronics DSE855 Configuration Backup Missing Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent…
PriorityP343medium6.5CVSS 3.1
AVAACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.42%
82.1th percentile
Deep Sea Electronics DSE855 Configuration Backup Missing Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Deep Sea Electronics DSE855 devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the web-based UI. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-22679.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| deep_sea_electronics | dse855 | — | — |
| deepseaelectronics | dse855_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Fingerprint target device by checking HTTP response body for 'Copyright Deep Sea Electronics' before probing the backup endpoint. ↗
- →Affected version is DSE855 Version 1.0.26; presence of this version on network-adjacent segments should trigger investigation. ↗
- →FOFA/Shodan fingerprint query 'Deep Sea Electronics' can be used to identify exposed DSE855 devices on the network. ↗
- ·Vulnerability is only exploitable from network-adjacent attackers (AV:A), not remotely over the internet; detection should focus on local/OT network segments. ↗
- ·The Nuclei template uses a two-step flow: first confirm the DSE855 web UI is present, then probe /Backup.bin — single-step probes may produce false positives on other devices. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv3.06.5MEDIUMCVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Deep Sea Electronics DSE855
cisa_ics·2024-10-24·CVSS 6.5
[MEDIUM] Deep Sea Electronics DSE855
ICS Advisory
##
Deep Sea Electronics DSE855
Release DateOctober 24, 2024
Alert CodeICSA-24-298-03
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 7.1
- ATTENTION: low attack complexity/public exploits are available
- Vendor: Deep Sea Electronics
- Equipment: DSE855
- Vulnerability: Missing Authentication for Critical Function
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to access stored credentials.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of Deep Sea Electronics DSE855, an ethernet communications device, are affected:
- DSE855: Version 1.0.26
## 3.2 Vulnerability Overview
## 3.2.1 Missing
GHSA
GHSA-gxv6-85rj-hm78: Deep Sea Electronics DSE855 Configuration Backup Missing Authentication Information Disclosure Vulnerability
ghsa_unreviewed·2024-06-13
CVE-2024-5947 [MEDIUM] CWE-306 GHSA-gxv6-85rj-hm78: Deep Sea Electronics DSE855 Configuration Backup Missing Authentication Information Disclosure Vulnerability
Deep Sea Electronics DSE855 Configuration Backup Missing Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Deep Sea Electronics DSE855 devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the web-based UI. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-22679.
No detection rules found.
Nuclei
Deep Sea Electronics DSE855 - Authentication Bypass
nuclei·CVSS 6.5
CVE-2024-5947 [MEDIUM] Deep Sea Electronics DSE855 - Authentication Bypass
Deep Sea Electronics DSE855 - Authentication Bypass
Deep Sea Electronics DSE855 Configuration Backup Missing Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Deep Sea Electronics DSE855 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based UI. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-22679.
Template:
id: CVE-2024-5947
info:
name: Deep Sea Electronics DSE855 - Authentication Bypass
author: s4e-io
severity: medium
description: |
Deep Sea El
No writeups or analysis indexed.
2024-06-13
Published