CVE-2018-19616

HIGH

Rockwellautomation Powermonitor 1000 Firmware - Authentication Bypass

Title source: rule

Description

An issue was discovered in Rockwell Automation Allen-Bradley PowerMonitor 1000. An unauthenticated user can add/edit/remove administrators because access control is implemented on the client side via a disabled attribute for a BUTTON element.

Exploits (1)

exploitdb WRITEUP

by Luca.Chiou · textwebappshardware

https://www.exploit-db.com/exploits/45937

View Code ZIP pw:eip

References (5)

Core 5

Core References

Third Party Advisory, US Government Resource x_refsource_misc

https://ics-cert.us-cert.gov/advisories/ICSA-19-050-04

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/150619/Rockwell-Automation-Allen-Bradley-PowerMonitor-1000-Authentication-Bypass.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/106333

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/45937/

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/108538

Scores

CVSS v3 8.1

EPSS 0.0263

EPSS Percentile 85.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-287

Status published

Products (1)

rockwellautomation/powermonitor_1000_firmware 1408-em3a-ent_b

Published Dec 26, 2018

Tracked Since Feb 18, 2026