Vulnerabilities > CVE-2020-12069 - Use of Password Hash With Insufficient Computational Effort vulnerability in Pilz PMC 3.0.0

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

pilz

CWE-916

critical

NVD

Published: 2022-12-26

Updated: 2023-11-07

Summary

In CODESYS V3 products in all versions prior V3.5.16.0 containing the CmpUserMgr, the CODESYS Control runtime system stores the online communication passwords using a weak hashing algorithm. This can be used by a local attacker with low privileges to gain full control of the device.

Vulnerable Configurations

Part	Description	Count
Application	Pilz Pilz PMC 3.0.0	1

Common Weakness Enumeration (CWE)

CWE-916 - Use of Password Hash With Insufficient Computational Effort

References

https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=12943&token=d097958a67ba382de688916f77e3013c0802fade&download=
https://cert.vde.com/en/advisories/VDE-2021-061/
https://cert.vde.com/en/advisories/VDE-2022-031/
https://cert.vde.com/en/advisories/VDE-2022-022/