CVE-2019-14930

moderate-risk

Published 2019-10-28

An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Undocumented hard-coded user passwords for root, ineaadmin, mitsadmin, and maint could allow an attacker to gain unauthorised access to the RTU. (Also, the accounts ineaadmin and mitsadmin are able to escalate privileges to root without supplying a password due to insecure entries in /etc/sudoers on the RTU.)

Do I need to act?

0.39% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (2)

Smartrtu Firmware

Me-Rtu Firmware

Affected Vendors

Mitsubishielectric Inea

References (4)

Third Party Advisory https://www.mogozobo.com/

Exploit https://www.mogozobo.com/?p=3593

Third Party Advisory https://www.mogozobo.com/

Exploit https://www.mogozobo.com/?p=3593

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 1/34 · Minimal

Exposure 7/34 · Low