CVE-2012-6428

The Carlo Gavazzi EOS-Box stores hard-coded passwords in the PHP file of the device. By using the hard-coded passwords, attackers can log into the device with administrative privileges. This could allow the attacker to have unauthorized access.

CVSS v2.0 10.0 HIGH

10.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-12-354-02
http://www.us-cert.gov/control_systems/pdf/ICSA-12-354-02.pdf	US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:carlosgavazzi:eos-box_photovoltaic_monitoring_system_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:carlosgavazzi:eos-box_photovoltaic_monitoring_system:-:*:*:*:*:*:*:*

History

01 Jul 2025, 20:15

Type	Values Removed	Values Added
References		() https://www.cisa.gov/news-events/ics-advisories/icsa-12-354-02 -
CWE		CWE-798
Summary	(en) Carlo Gavazzi EOS-Box with firmware before 1.0.0.1080_2.1.10 establishes multiple hardcoded accounts, which makes it easier for remote attackers to obtain administrative access by reading a password in a PHP script, a similar issue to CVE-2012-5862.	(en) The Carlo Gavazzi EOS-Box stores hard-coded passwords in the PHP file of the device. By using the hard-coded passwords, attackers can log into the device with administrative privileges. This could allow the attacker to have unauthorized access.

21 Nov 2024, 01:46

Type	Values Removed	Values Added
References	~~() http://www.us-cert.gov/control_systems/pdf/ICSA-12-354-02.pdf - US Government Resource~~	() http://www.us-cert.gov/control_systems/pdf/ICSA-12-354-02.pdf - US Government Resource

Information

Published : 2012-12-23 21:55

Updated : 2025-07-01 20:15

NVD link : CVE-2012-6428

Mitre link : CVE-2012-6428

CVE.ORG link : CVE-2012-6428

JSON object : View

Products Affected

carlosgavazzi

eos-box_photovoltaic_monitoring_system
eos-box_photovoltaic_monitoring_system_firmware

CWE

CWE-798

Use of Hard-coded Credentials

CWE-255

Credentials Management Errors

{"id": "CVE-2012-6428", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2012-12-23T21:55:01.653", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-12-354-02", "source": "ics-cert@hq.dhs.gov"}, {"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-12-354-02.pdf", "tags": ["US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-798"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-255"}]}], "descriptions": [{"lang": "en", "value": "The Carlo Gavazzi \nEOS-Box\n\nstores hard-coded passwords in the PHP file of \nthe device. By using the hard-coded passwords, attackers can log into \nthe device with administrative privileges. This could allow the attacker\n to have unauthorized access."}, {"lang": "es", "value": "Carlo Gavazzi EOS-Box con firmware antes de v1.0.0.1080_2.1.10 establece varias cuentas 'harcodeadas', lo que hace que sea m\u00e1s f\u00e1cil para los atacantes remotos obtener acceso administrativo al leer una contrase\u00f1a en un script PHP. Se trata de un problema similar a CVE-2012-5862a\r\n"}], "lastModified": "2025-07-01T20:15:24.300", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:carlosgavazzi:eos-box_photovoltaic_monitoring_system_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "61868231-4AC6-476D-8A7F-0520E46044F0", "versionEndIncluding": "1.0.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:carlosgavazzi:eos-box_photovoltaic_monitoring_system:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "66B585E4-5C68-49BB-BD40-8D166067D32A"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}