CVE-2020-24683
high-risk
Published 2020-12-22
The affected versions of S+ Operations (version 2.1 SP1 and earlier) used an approach for user authentication which relies on validation at the client node (client-side authentication). This is not as secure as having the server validate a client application before allowing a connection. Therefore, if the network communication or endpoints for these applications are not protected, unauthorized actors can bypass authentication and make unauthorized connections to the server application.
Do I need to act?
-
0.45% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (10)
Symphony \+ Historian
Symphony \+ Historian
Symphony \+ Operations
Symphony \+ Operations
Symphony \+ Operations
Symphony \+ Operations
Symphony \+ Operations
Symphony \+ Operations
Symphony \+ Operations
Symphony \+ Operations
Affected Vendors
50
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
2/34 · Minimal
Exposure
16/34 · Moderate