Vulnerability Description
Unprotected transport of credentials vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from the communication between the PLC and the software. As a result, the complete access privileges to the PLC Web server may be obtained, and manipulation of the PLC output and/or suspension of the PLC may be conducted.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Idec | Microsmart Fc6A Firmware | <= 2.32 |
| Idec | Microsmart Fc6A | - |
| Idec | Microsmart Plus Fc6A Firmware | <= 1.91 |
| Idec | Microsmart Plus Fc6A | - |
| Idec | Data File Manager | <= 2.12.1 |
| Idec | Windedit | <= 1.3.1 |
| Idec | Windldr | <= 8.19.1 |
Related Weaknesses (CWE)
References
- https://jvn.jp/en/vu/JVNVU92279973/index.htmlThird Party Advisory
- https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdfVendor Advisory
- https://jvn.jp/en/vu/JVNVU92279973/index.htmlThird Party Advisory
- https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdfVendor Advisory
FAQ
What is CVE-2021-20826?
CVE-2021-20826 is a vulnerability with a CVSS score of 7.6 (HIGH). Unprotected transport of credentials vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19...
How severe is CVE-2021-20826?
CVE-2021-20826 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-20826?
Check the references section above for vendor advisories and patch information. Affected products include: Idec Microsmart Fc6A Firmware, Idec Microsmart Fc6A, Idec Microsmart Plus Fc6A Firmware, Idec Microsmart Plus Fc6A, Idec Data File Manager.