CVE-2021-37401

CRITICAL

Idec Data File Manager < 2.12.1 - Insufficiently Protected Credentials

Title source: rule

Description

An attacker may obtain the user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the PLC user program may be uploaded, altered, and/or downloaded.

References (4)

[Third Party Advisory] https://jvn.jp/en/vu/JVNVU92279973/

[Vendor Advisory] https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A

[Vendor Advisory] https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer

[Vendor Advisory] https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf

Scores

CVSS v3 9.8

EPSS 0.0070

EPSS Percentile 71.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-522

Status published

Affected Products (9)

idec/data_file_manager < 2.12.1

idec/windedit < 1.3.1

idec/windldr < 8.19.1

idec/microsmart_plus_fc6b_firmware < 2.31

idec/microsmart_plus_fc6a_firmware < 1.91

idec/microsmart_fc6b_firmware < 2.31

idec/microsmart_fc6a_firmware < 2.32

idec/ft1a_smartaxix_pro_firmware < 2.31

idec/ft1a_smartaxix_lite_firmware < 2.31

Timeline

Published Dec 28, 2021

Tracked Since Feb 18, 2026