Vulnerabilities > Secheron

DATE CVE VULNERABILITY TITLE RISK
2022-06-24 CVE-2022-1666 Insufficiently Protected Credentials vulnerability in Secheron Sepcos Control and Protection Relay Firmware 1.23.0/1.24.0/1.25.0
The default password for the web application’s root user (the vendor’s private account) was weak and the MD5 hash was used to crack the password using a widely available open-source tool.
network
low complexity
secheron CWE-522
6.5
6.5
2022-06-24 CVE-2022-1667 Unspecified vulnerability in Secheron Sepcos Control and Protection Relay Firmware 1.23.0/1.24.0/1.25.0
Client-side JavaScript controls may be bypassed by directly running a JS function to reboot the PLC (e.g., from the browser console) or by loading the corresponding, browser accessible PHP script
network
low complexity
secheron
7.5
7.5
2022-06-24 CVE-2022-1668 Weak Password Requirements vulnerability in Secheron Sepcos Control and Protection Relay Firmware 1.23.0/1.24.0/1.25.0
Weak default root user credentials allow remote attackers to easily obtain OS superuser privileges over the open TCP port for SSH.
network
low complexity
secheron CWE-521
critical
 9.8
9.8
2022-06-24 CVE-2022-2102 Unrestricted Upload of File with Dangerous Type vulnerability in Secheron Sepcos Control and Protection Relay Firmware 1.23.0/1.24.0/1.25.0
Controls limiting uploads to certain file extensions may be bypassed.
network
low complexity
secheron CWE-434
7.5
7.5
2022-06-24 CVE-2022-2103 Insufficiently Protected Credentials vulnerability in Secheron Sepcos Control and Protection Relay Firmware 1.23.0/1.24.0/1.25.0
An attacker with weak credentials could access the TCP port via an open FTP port, allowing an attacker to read sensitive files and write to remotely executable directories.
network
low complexity
secheron CWE-522
critical
 9.1
9.1
2022-06-24 CVE-2022-2104 Unspecified vulnerability in Secheron Sepcos Control and Protection Relay Firmware 1.23.0/1.24.0/1.25.0
The www-data (Apache web server) account is configured to run sudo with no password for many commands (including /bin/sh and /bin/bash).
network
low complexity
secheron
critical
 9.8
9.8
2022-06-24 CVE-2022-2105 Unspecified vulnerability in Secheron Sepcos Control and Protection Relay Firmware 1.23.0/1.24.0/1.25.0
Client-side JavaScript controls may be bypassed to change user credentials and permissions without authentication, including a “root” user level meant only for the vendor.
network
low complexity
secheron
critical
 9.1
9.1