CVE-2019-19229

high-risk
Published 2019-12-04

admincgi-bin/service.fcgi on Fronius Solar Inverter devices before 3.14.1 (HM 1.12.1) allows action=download&filename= Directory Traversal.

Do I need to act?

-
0.66% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10 Medium
NETWORK / LOW complexity

Affected Products (20)

Datamanager Box 2.0 Firmware
Eco 25.0-3-S Firmware
Eco 27.0-3-S Firmware
Galvo 1.5-1 Firmware
Galvo 1.5-1 208-240 Firmware
Galvo 2.0-1 Firmware
Galvo 2.0-1 208-240 Firmware
Galvo 2.5-1 Firmware
Galvo 2.5-1 208-240 Firmware
Galvo 3.0-1 Firmware
Galvo 3.1-1 Firmware
Galvo 3.1-1 208-240 Firmware
Primo 10.0-1 208-240 Firmware
Primo 11.4-1 208-240 Firmware
Primo 12.5-1 208-240 Firmware
Primo 15.0-1 208-240 Firmware
Primo 3.0-1 Firmware
Primo 3.5-1 Firmware
Primo 3.6-1 Firmware
Primo 3.8-1 208-240 Firmware

Affected Vendors

Fronius

References (6)

Exploit http://packetstormsecurity.com/files/155562/Fronius-Solar-Inverter-Series-Insecu...
Exploit https://sec-consult.com/en/blog/advisories/multiple-vulnerabilites-in-fronius-so...
Exploit https://seclists.org/bugtraq/2019/Dec/5
Exploit http://packetstormsecurity.com/files/155562/Fronius-Solar-Inverter-Series-Insecu...
Exploit https://sec-consult.com/en/blog/advisories/multiple-vulnerabilites-in-fronius-so...
Exploit https://seclists.org/bugtraq/2019/Dec/5
53
/ 100
high-risk
Severity 24/34 · High
Exploitability 2/34 · Minimal
Exposure 27/34 · High