CVE-2020-6988
HIGHRockwell Automation MicroLogix 1400 A/B <21.001 and 1100, RSLogix 500 <12.001 - Credential Disclosure
Title source: llmDescription
Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, A remote, unauthenticated attacker can send a request from the RSLogix 500 software to the victim’s MicroLogix controller. The controller will then respond to the client with used password values to authenticate the user on the client-side. This method of authentication may allow an attacker to bypass authentication altogether, disclose sensitive information, or leak credentials.
References (1)
Core 1
Core References
Third Party Advisory, US Government Resource x_refsource_misc
https://www.us-cert.gov/ics/advisories/icsa-20-070-06
Scores
CVSS v3
7.5
EPSS
0.0018
EPSS Percentile
38.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-603
CWE-287
Status
published
Products (4)
rockwellautomation/micrologix_1100_firmware
rockwellautomation/micrologix_1400_a_firmware
rockwellautomation/micrologix_1400_b_firmware
< 21.001
rockwellautomation/rslogix_500
< 12.001
Published
Mar 16, 2020
Tracked Since
Feb 18, 2026