CVE-2023-0052
moderate-risk
Published 2023-01-20
SAUTER Controls Nova 200–220 Series with firmware version 3.3-006 and prior and BACnetstac version 4.2.1 and prior allows the execution of commands without credentials. As Telnet and file transfer protocol (FTP) are the only protocols available for device management, an unauthorized user could access the system and modify the device configuration, which could result in the unauthorized user executing unrestricted malicious commands.
Do I need to act?
-
0.26% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (5)
Nova 220 Eyk220F001 Firmware
Nova 230 Eyk230F001 Firmware
Nova 106 Eyk300F001 Firmware
Modunet300 Ey-Am300F001 Firmware
Modunet300 Ey-Am300F002 Firmware
Affected Vendors
References (2)
Third Party Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-05
Third Party Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-05
45
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
1/34 · Minimal
Exposure
12/34 · Low