CVE-2019-11536

moderate-risk
Published 2019-05-22

Kalki Kalkitech SYNC3000 Substation DCU GPC v2.22.6, 2.23.0, 2.24.0, 3.0.0, 3.1.0, 3.1.16, 3.2.3, 3.2.6, 3.5.0, 3.6.0, and 3.6.1, when WebHMI is not installed, allows an attacker to inject client-side commands or scripts to be executed on the device with privileged access, aka CYB/2019/19561. The attack requires network connectivity to the device and exploits the webserver interface, typically through a browser.

Do I need to act?

-
0.39% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (11)

Sync3000 Firmware
Sync3000 Firmware
Sync3000 Firmware
Sync3000 Firmware
Sync3000 Firmware
Sync3000 Firmware
Sync3000 Firmware
Sync3000 Firmware
Sync3000 Firmware
Sync3000 Firmware
Sync3000 Firmware

Affected Vendors

Kalkitech

References (4)

Vendor Advisory https://www.kalkitech.com/cybersecurity/
Vendor Advisory https://www.kalkitech.com/wp-content/uploads/CYB_19561_Advisory.pdf
Vendor Advisory https://www.kalkitech.com/cybersecurity/
Vendor Advisory https://www.kalkitech.com/wp-content/uploads/CYB_19561_Advisory.pdf
49
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 1/34 · Minimal
Exposure 16/34 · Moderate