CVE-2018-16669

CRITICAL

CIRCONTROL OCPP <1.5.0 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-16669. PoCs published by SadFud.

AI-analyzed exploit summary This exploit targets CirCarLife SCADA systems (versions < 4.3.0) and PsiOcppApp (versions < 1.5.0) to disclose sensitive information, including admin credentials, via multiple endpoints. It leverages CVE-2018-12634 and related CVEs to extract software versions, PLC statuses, installation paths, and GPRS modem details.

Description

An issue was discovered in CIRCONTROL Open Charge Point Protocol (OCPP) before 1.5.0, as used in CirCarLife, PowerStudio, and other products. Due to storage of credentials in XML files, an unprivileged user can look at /services/config/config.xml for the admin credentials of the ocpp and circarlife panels.

Exploits (1)

exploitdb WORKING POC
by SadFud · pythonwebappshardware
https://www.exploit-db.com/exploits/45384

This exploit targets CirCarLife SCADA systems (versions < 4.3.0) and PsiOcppApp (versions < 1.5.0) to disclose sensitive information, including admin credentials, via multiple endpoints. It leverages CVE-2018-12634 and related CVEs to extract software versions, PLC statuses, installation paths, and GPRS modem details.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: CirCarLife SCADA < 4.3.0, PsiOcppApp < 1.5.0
No auth needed
Prerequisites: Network access to the target system · Exposed endpoints (e.g., /html/log, /services/system/info.html)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45384/

Scores

CVSS v3 9.8
EPSS 0.0214
EPSS Percentile 79.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-522
Status published
Products (1)
circontrol/open_charge_point_protocol < 1.5.0
Published Sep 18, 2018
Tracked Since Feb 18, 2026