CVE-2020-16231

moderate-risk
Published 2022-05-19

The affected Bachmann Electronic M-Base Controllers of version MSYS v1.06.14 and later use weak cryptography to protect device passwords. Affected controllers that are actively supported include MX207, MX213, MX220, MC206, MC212, MC220, and MH230 hardware controllers, and affected end-of-life controller include MC205, MC210, MH212, ME203, CS200, MP213, MP226, MPC240, MPC265, MPC270, MPC293, MPE270, and CPC210 hardware controllers. Security Level 0 is set at default from the manufacturer, which could allow an unauthenticated remote attacker to gain access to the password hashes. Security Level 4 is susceptible if an authenticated remote attacker or an unauthenticated person with physical access to the device reads and decrypts the password to conduct further attacks.

Do I need to act?

-
0.25% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.2/10 High
NETWORK / LOW complexity

Affected Products (20)

Mx207 Firmware
Mx213 Firmware
Mx220 Firmware
Mc206 Firmware
Mc212 Firmware
Mc220 Firmware
Mh230 Firmware
Mc205 Firmware
Mc210 Firmware
Mh212 Firmware
Me203 Firmware
Cs200 Firmware
Mp213 Firmware
Mp226 Firmware
Mpc240 Firmware
Mpc265 Firmware
Mpc270 Firmware
Mpc293 Firmware
Mpe270 Firmware
Cpc210 Firmware

Affected Vendors

Bachmann

References (2)

Third Party Advisory https://www.cisa.gov/uscert/ics/advisories/icsa-21-026-02
Third Party Advisory https://www.cisa.gov/uscert/ics/advisories/icsa-21-026-02
47
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 1/34 · Minimal
Exposure 20/34 · Moderate