CVE-2016-2298

CRITICAL

Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited - Exposure of Sensitive Information

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-2298. Includes Metasploit module auxiliary/scanner/http/meteocontrol_weblog_extractadmin.

AI-analyzed exploit summary This Metasploit module exploits an authentication bypass vulnerability in Meteocontrol WEBlog appliances to extract the Administrator password from the device management portal. It checks for the presence of the application and then extracts the password from the configuration page.

Description

Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited allows remote attackers to obtain sensitive cleartext information via unspecified vectors.

Exploits (1)

metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb

This Metasploit module exploits an authentication bypass vulnerability in Meteocontrol WEBlog appliances to extract the Administrator password from the device management portal. It checks for the presence of the application and then extracts the password from the configuration page.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Meteocontrol WEBlog appliances (software version < May 2016 release)
No auth needed
Prerequisites: Network access to the target device · Target running Meteocontrol WEBlog with vulnerable software version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory, US Government Resource x_refsource_misc
https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2016/May/52

Scores

CVSS v3 9.8
EPSS 0.7303
EPSS Percentile 98.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-200
Status published
Products (4)
meteocontrol/web\'log_basic_100
meteocontrol/web\'log_light
meteocontrol/web\'log_pro
meteocontrol/web\'log_pro_unlimited
Published May 14, 2016
Tracked Since Feb 18, 2026