Every week, we catalog the major industrial cybersecurity vulnerabilities and updates you should know about. Here are the notable threats from the week of April 28 - May 4. Sign up to get these updates right to your inbox!
CyberPower PowerPanel contains use of hard-coded password, relative path traversal, use of hard-coded credentials and more vulnerabilities that can result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server, achieving code execution and more.
Sources: CISA, CyberPower
Delta Electronics DIAEnergie contains SQL Injection and path traversal vulnerabilities that can allow an authenticated attacker with limited privileges to escalate privileges, retrieve confidential information, upload arbitrary files, backdoor the application and compromise the system on which DIAEnergie is deployed.
Sources: CISA, Delta Electronics
Chirp Systems Chirp Access (Update C) contains a use of hard-coded password vulnerability that can allow an attacker to adjust the beacon configuration settings and/or disable the bluetooth functionality of doors where non-networked beacons are deployed.
Sources: CISA, Chirp Systems
Delta Electronics CNCSoft-G2 DOPSoft contains a stack-based buffer overflow vulnerability that can allow an attacker to execute arbitrary code.
Sources: CISA, Delta Electronics
SEW-EURODRIVE MOVITOOLS MotionStudio (Update A) contains an improper restriction of XML external entity reference that can result in open access to file information.
Sources: CISA, SEW Eurodrive
Unitronics Vision Legacy Series (Update A) contains a storing passwords in a recoverable format vulnerability that can allow an attacker to log in to the Remote HMI feature, where the PLC may be factory reset, stopped and restarted.
Sources: CISA, Unitronics
