CVE-2020-6994

moderate-risk
Published 2020-04-03

A buffer overflow vulnerability was found in some devices of Hirschmann Automation and Control HiOS and HiSecOS. The vulnerability is due to improper parsing of URL arguments. An attacker could exploit this vulnerability by specially crafting HTTP requests to overflow an internal buffer. The following devices using HiOS Version 07.0.02 and lower are affected: RSP, RSPE, RSPS, RSPL, MSP, EES, EES, EESX, GRS, OS, RED. The following devices using HiSecOS Version 03.2.00 and lower are affected: EAGLE20/30.

Do I need to act?

-
0.08% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Hirschmann Hisecos

Affected Vendors

Belden

References (2)

Mitigation https://www.us-cert.gov/ics/advisories/icsa-20-091-01
Mitigation https://www.us-cert.gov/ics/advisories/icsa-20-091-01
39
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 0/34 · Minimal
Exposure 7/34 · Low