CVE-2023-5719

high-risk
Published 2023-11-06

The Crimson 3.2 Windows-based configuration tool allows users with administrative access to define new passwords for users and to download the resulting security configuration to a device. If such a password contains the percent (%) character, invalid values will be included, potentially truncating the string if a NUL is encountered. If the simplified password is not detected by the administrator, the device might be left in a vulnerable state as a result of more-easily compromised credentials. Note that passwords entered via the Crimson system web server do not suffer from this vulnerability.

Do I need to act?

-
0.09% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (20)

Crimson
Crimson
Crimson
Crimson
Crimson
Crimson
Crimson
Crimson
Crimson
Crimson
Crimson
Crimson
Crimson
Crimson
Crimson
Crimson
Crimson
Crimson
Crimson
Crimson

Affected Vendors

Redlion

References (4)

Vendor Advisory https://support.redlion.net/hc/en-us/categories/360002087671-Security-Advisories
Third Party Advisory https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-01
Vendor Advisory https://support.redlion.net/hc/en-us/categories/360002087671-Security-Advisories
Third Party Advisory https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-01
50
/ 100
high-risk
Severity 30/34 · Critical
Exploitability 0/34 · Minimal
Exposure 20/34 · Moderate