CVE-2019-14929

CRITICAL

Mitsubishielectric Smartrtu Firmware - Insufficiently Protected Cre...

Title source: rule

Description

An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Stored cleartext passwords could allow an unauthenticated attacker to obtain configured username and password combinations on the RTU due to the weak credentials management on the RTU. An unauthenticated user can obtain the exposed password credentials to gain access to the following services: DDNS service, Mobile Network Provider, and OpenVPN service.

References (2)

[Third Party Advisory] https://www.mogozobo.com/

[Exploit, Third Party Advisory] https://www.mogozobo.com/?p=3593

Scores

CVSS v3 9.8

EPSS 0.0215

EPSS Percentile 84.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-522

Status published

Affected Products (2)

mitsubishielectric/smartrtu_firmware < 2.02

inea/me-rtu_firmware < 3.0

Timeline

Published Oct 28, 2019

Tracked Since Feb 18, 2026