CVE-2021-41292

ECOA BAS controller - Broken Authentication

CVSS 9.8 CRITICALEPSS 1.1%CWE-288

ECOA BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can remotely bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

ECOA · ECS Router Controller ECS (FLASH)ECOA · Graphic Control Software ECOA · RiskBuster System RB 3.0.0 ECOA · RiskBuster System TRANE 1.0 ECOA · RiskBuster Terminator E6L45 ECOA · RiskTerminator ECOA · SmartHome II E9246

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.twcert.org.tw/tw/cp-132-5128-b075a-1.html