CVE-2017-6041

high-risk

Published 2017-06-30

An Unrestricted Upload issue was discovered in Marel Food Processing Systems M3000 terminal associated with the following systems: A320, A325, A371, A520 Master, A520 Slave, A530, A542, A571, Check Bin Grader, FlowlineQC T376, IPM3 Dual Cam v132, IPM3 Dual Cam v139, IPM3 Single Cam v132, P520, P574, SensorX13 QC flow line, SensorX23 QC Master, SensorX23 QC Slave, Speed Batcher, T374, T377, V36, V36B, and V36C; M3210 terminal associated with the same systems as the M3000 terminal identified above; M3000 desktop software associated with the same systems as the M3000 terminal identified above; MAC4 controller associated with the same systems as the M3000 terminal identified above; SensorX23 X-ray machine; SensorX25 X-ray machine; and MWS2 weighing system. This vulnerability allows an attacker to modify the operation and upload firmware changes without detection.

Do I need to act?

0.63% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (20)

A320 Firmware

A325 Firmware

A371 Firmware

A542 Firmware

Check Bin Grader Firmware

Flowlineqc T376 Firmware

Ipm3 Dual Cam Firmware

P574 Firmware

Sensorx13 Qc Flow Line Firmware

Sensorx23 Qc Master Firmware

A520 Master Firmware

A520 Slave Firmware

A530 Firmware

A571 Firmware

P520 Firmware

Sensorx23 Qc Slave Firmware

Speed Batcher Firmware

T374 Firmware

T377 Firmware

Affected Vendors

Marel

References (4)

Third Party Advisory http://www.securityfocus.com/bid/97388

Mitigation https://ics-cert.us-cert.gov/advisories/ICSA-17-094-02

Third Party Advisory http://www.securityfocus.com/bid/97388

Mitigation https://ics-cert.us-cert.gov/advisories/ICSA-17-094-02

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 2/34 · Minimal

Exposure 21/34 · High