CVE-2018-8859

CRITICAL

Echelon SmartServer <4.11.007, i.LON 100 - Auth Bypass

Title source: llm

Description

Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. An attacker can bypass the required authentication specified in the security configuration file by including extra characters in the directory name when specifying the directory to be accessed. This vulnerability does not affect the i.LON 600 product.

References (1)

Core 1

Core References

Third Party Advisory, US Government Resource x_refsource_misc

https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03

Scores

CVSS v3 9.8

EPSS 0.0158

EPSS Percentile 72.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-287 CWE-288

Status published

Products (8)

Echelon/i.LON 100 all versions

Echelon/i.LON 600 all versions

echelon/i.lon_100_firmware

echelon/i.lon_600_firmware

Echelon/SmartServer 1 all versions

Echelon/SmartServer 2 all versions prior to release 4.11.007

echelon/smartserver_1_firmware

echelon/smartserver_2_firmware < 4.11.007

Published Jul 24, 2018

Tracked Since Feb 18, 2026