VEGA Grieshaber VEGAPULS 6X Unsecured Configuration Interface Allows Unauthorized Access to Sensitive Information
Vulnerability
A vulnerability exists in the VEGA Grieshaber VEGAPULS 6X model, specifically in the two-wire PROFINET, Modbus TCP, and OPC UA (Ethernet-APL) versions 1.0.0 and 1.1.0. The issue arises from an unsecured configuration interface that permits unauthenticated remote access to sensitive information, such as hashed credentials and access codes. This vulnerability could lead to unauthorized users impersonating authorized ones and potentially modifying device settings.
Impact
Exploitation of this vulnerability allows unauthorized access to sensitive information, including hashed credentials and access codes, which could be used to impersonate authorized users and modify device settings.
Remediation
Users are advised to update to the fixed firmware version 1.1.1. After the update, any credentials used on affected devices should be rotated, as they may have been compromised. If emergency code rotation is necessary, VEGA Support can be contacted.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.