CVE-2021-41292
CRITICALECOA BAS Controller - Unauthenticated Authentication Bypass via Cookie Poisoning
Title source: llmDescription
ECOA BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can remotely bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://www.twcert.org.tw/tw/cp-132-5128-b075a-1.html
Scores
CVSS v3
9.8
EPSS
0.0113
EPSS Percentile
62.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
CWE-288
Status
published
Products (3)
ecoa/ecs_router_controller-ecs_firmware
ecoa/riskbuster_firmware
ecoa/riskterminator
Published
Sep 30, 2021
Tracked Since
Feb 18, 2026