CVE-2023-0321

Disclosure of Sensitive Information on Campbell Scientific Products

CVSS 9.1 CRITICALEPSS 0.9%CWE-200

Vexday Risk Score

28Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 9.1EPSS 0.9%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

25 jan 2023Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

Campbell Scientific dataloggers CR6, CR300, CR800, CR1000 and CR3000 may allow an attacker to download configuration files, which may contain sensitive information about the internal network. From factory defaults, the mentioned datalogges have HTTP and PakBus enabled. The devices, with the default configuration, allow this situation via the PakBus port. The exploitation of this vulnerability may allow an attacker to download, modify, and upload new configuration files.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Produtos afetados

Campbell Scientific · CR1000 Campbell Scientific · CR300 Campbell Scientific · CR3000 Campbell Scientific · CR6 Campbell Scientific · CR800

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://www.hackplayers.com/2023/01/cve-2023-0321-info-sensible-campbell.html https://www.incibe-cert.es/en/early-warning/ics-advisories/disclosure-sensitive-information-campbell-scientific-products