CVE-2023-0321

Disclosure of Sensitive Information on Campbell Scientific Products

CVSS 9.1 CRITICALEPSS 0.9%CWE-200

Vexday Risk Score

28Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 9.1EPSS 0.9%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

25 ene 2023Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Campbell Scientific dataloggers CR6, CR300, CR800, CR1000 and CR3000 may allow an attacker to download configuration files, which may contain sensitive information about the internal network. From factory defaults, the mentioned datalogges have HTTP and PakBus enabled. The devices, with the default configuration, allow this situation via the PakBus port. The exploitation of this vulnerability may allow an attacker to download, modify, and upload new configuration files.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Productos afectados

Campbell Scientific · CR1000 Campbell Scientific · CR300 Campbell Scientific · CR3000 Campbell Scientific · CR6 Campbell Scientific · CR800

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://www.hackplayers.com/2023/01/cve-2023-0321-info-sensible-campbell.html https://www.incibe-cert.es/en/early-warning/ics-advisories/disclosure-sensitive-information-campbell-scientific-products