5.3

CVE-2020-25752

Exploit

EPSS 1.6%
Veröffentlicht 16.06.2021 19:15:17
Zuletzt bearbeitet 21.11.2024 05:18:39
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered on Enphase Envoy R3.x and D4.x devices. There are hardcoded web-panel login passwords for the installer and Enphase accounts. The passwords for these accounts are hardcoded values derived from the MD5 hash of the username and serial number mixed with some static strings. The serial number can be retrieved by an unauthenticated user at /info.xml. These passwords can be easily calculated by an attacker; users are unable to change these passwords.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Enphase ≫ Envoy Firmware Versiond4.0

Enphase ≫ Envoy Version-

Enphase ≫ Envoy Firmware Versionr3.0

Enphase ≫ Envoy Version-

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.6%	0.727

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

https://enphase.com/en-us/products-and-services/envoy-and-combiner

Vendor Advisory

Product

https://medium.com/stage-2-security/can-solar-controllers-be-used-to-generate-fake-clean-energy-credits-4a7322e7661a

Third Party Advisory

Exploit

https://stage2sec.com

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-25752

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-25752

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-25752

EUVD