CVE-2019-14926
CRITICALMitsubishi Electric and INEA ME-RTU Firmware < 2.02 and < 3.0 - Use of Hard-coded SSH Keys
Title source: llmDescription
An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Hard-coded SSH keys allow an attacker to gain unauthorised access or disclose encrypted data on the RTU due to the keys not being regenerated on initial installation or with firmware updates. In other words, these devices use private-key values in /etc/ssh/ssh_host_rsa_key, /etc/ssh/ssh_host_ecdsa_key, and /etc/ssh/ssh_host_dsa_key files that are publicly available from the vendor web sites.
References (2)
Core 2
Core References
Third Party Advisory
https://www.mogozobo.com/
Exploit, Third Party Advisory
https://www.mogozobo.com/?p=3593
Scores
CVSS v3
9.8
EPSS
0.0036
EPSS Percentile
58.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-798
Status
published
Products (2)
inea/me-rtu_firmware
< 3.0
mitsubishielectric/smartrtu_firmware
< 2.02
Published
Oct 28, 2019
Tracked Since
Feb 18, 2026