CVE-2023-40706

Improper Restriction of Excessive Authentication Attempts in OPTO 22 SNAP PAC S1 Built-in Web Server

CVSS 8.6 HIGHEPSS 0.5%CWE-307

In short

The SNAP PAC S1 web server doesn't limit failed login attempts, allowing attackers to repeatedly guess passwords without restriction. This makes brute-force attacks practical and puts the device at risk of unauthorized access.

Technical detail

CWE-307 vulnerability in OPTO 22 SNAP PAC S1 (Firmware R10.3b) web server lacks rate limiting on authentication attempts, enabling brute-force attacks against login credentials. No account lockout or progressive delays exist to hinder password enumeration, facilitating compromise of administrative access and potential device control.

Summary generated and translated by AI from the official description.

There is no limit on the number of login attempts in the web server for the SNAP PAC S1 Firmware version R10.3b. This could allow for a brute-force attack on the built-in web server login.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Affected products

OPTO 22 · SNAP PAC S1

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-02