CVE-2021-20826

HIGH

IDEC PLCs <v2.32 - Info Disclosure

Title source: llm

Description

Unprotected transport of credentials vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from the communication between the PLC and the software. As a result, the complete access privileges to the PLC Web server may be obtained, and manipulation of the PLC output and/or suspension of the PLC may be conducted.

References (2)

[Third Party Advisory] https://jvn.jp/en/vu/JVNVU92279973/index.html

[Vendor Advisory] https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf

Scores

CVSS v3 7.6

EPSS 0.0009

EPSS Percentile 25.4%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Classification

CWE

CWE-522

Status published

Affected Products (5)

idec/microsmart_fc6a_firmware < 2.32

idec/microsmart_plus_fc6a_firmware < 1.91

idec/data_file_manager < 2.12.1

idec/windedit < 1.3.1

idec/windldr < 8.19.1

Timeline

Published Dec 24, 2021

Tracked Since Feb 18, 2026