CVE-2014-0769

2014-04-2505:12:00

CWE-287

[email protected]

web.nvd.nist.gov

festo

cecx-x-c1

cecx-x-m1

modular controllers

codesys

softmotion

authentication bypass

tcp ports

remote attack

configuration modification

log deletion

cve-2014-0769

nvd

7.2 High

AI Score

Confidence

Low

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.005 Low

EPSS

Percentile

76.4%

JSON

The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1 Modular Controller with CoDeSys and SoftMotion do not require authentication for connections to certain TCP ports, which allows remote attackers to (1) modify the configuration via a request to the debug service on port 4000 or (2) delete log entries via a request to the log service on port 4001.

CPENameOperatorVersion
softmotion3d:softmotionsoftmotion3d softmotioneq-
festo:cecx-x-m1_modular_controllerfesto cecx-x-m1 modular controllereq-
3s-software:codesys_runtime_system3s-software codesys runtime systemeq-
festo:cecx-x-c1_modular_master_controllerfesto cecx-x-c1 modular master controllereq-

CPE	Name	Operator	Version
softmotion3d:softmotion	softmotion3d softmotion	eq	-
festo:cecx-x-m1_modular_controller	festo cecx-x-m1 modular controller	eq	-
3s-software:codesys_runtime_system	3s-software codesys runtime system	eq	-
festo:cecx-x-c1_modular_master_controller	festo cecx-x-c1 modular master controller	eq	-