GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise Remote Code Execution Vulnerability

GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise are both products of General Electric Company GE, U.S.A. GE Digital Energy MDS PulseNET is a suite of software applications for monitoring and controlling industrial communication network devices. Enterprise is an enterprise version of MD...

CVE-2015-6459

Absolute path traversal vulnerability in the download feature in FileDownloadServlet in GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise before 3.1.5 allows remote attackers to read or delete arbitrary files via a full pathname...

CVE-2015-6456

GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise before 3.1.5 have hardcoded credentials for a support account, which allows remote attackers to obtain administrative access, and consequently execute arbitrary code, by leveraging knowledge of the password...

Path traversal

Absolute path traversal vulnerability in the download feature in FileDownloadServlet in GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise before 3.1.5 allows remote attackers to read or delete arbitrary files via a full pathname...

Hardcoded credentials

GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise before 3.1.5 have hardcoded credentials for a support account, which allows remote attackers to obtain administrative access, and consequently execute arbitrary code, by leveraging knowledge of the password...

CVE-2015-6459

CVE-2015-6459 covers an absolute path traversal in GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise FileDownloadServlet prior to version 3.1.5. The vulnerability arises from insufficient validation in the download function, allowing remote attackers to read or delete arbitrary files via...

CVE-2015-6456

GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise are affected versions prior to 3.1.5, which contain hard-coded credentials for a hidden support account. This enables remote attackers to obtain administrative access and potentially execute arbitrary code. Public advisories (ZDI-15-440; ...

CVE-2015-6459

Absolute path traversal vulnerability in the download feature in FileDownloadServlet in GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise before 3.1.5 allows remote attackers to read or delete arbitrary files via a full pathname...

CVE-2015-6456

GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise before 3.1.5 have hardcoded credentials for a support account, which allows remote attackers to obtain administrative access, and consequently execute arbitrary code, by leveraging knowledge of the password...

GE MDS PulseNET Hidden Support Account Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of GE MDS PulseNET. Authentication is required to exploit this vulnerability but it can bypassed using static credentials. The specific flaw exists within the PulseNET web service. It contains a hidde...

GE MDS PulseNET FileDownloadServlet Directory Traversal Information Disclosure And Deletion Vulnerability

This vulnerability allows remote attackers to read and delete arbitrary files on vulnerable installations of GE MDS PulseNET. Authentication is not required to exploit this vulnerability. The specific flaw exists within the FileDownloadServlet. By specifying a filename including directory...

GE MDS PulseNET Vulnerabilities

OVERVIEW NCCIC/ICS-CERT received a report from HP’s Zero Day Initiative ZDI concerning two vulnerabilities in GE’s MDS PulseNET and MDS PulseNET Enterprise Network Management Software. These vulnerabilities were reported to ZDI by security researcher Andrea Micalizzi. GE has produced a new versio...