IFM: weak password recovery vulnerability in moneo appliance

VDE-2022-050

Last update

06.01.2026 12:00

Published at

12.12.2022 12:00

Vendor(s)

ifm electronic GmbH

External ID

VDE-2022-050

CSAF Document

Download

Summary

An unauthenticated remote attacker could reset the administrator's password with information from the default, self-signed certificate.

Impact

An unathenticated attacker can remotely reset the administrator password.

Affected Product(s)

Model no.	Product name	Affected versions
QHA210	QHA210	moneo appliance <=1.9.3
	moneo appliance	vers:semver/<=1.9.3

Vulnerabilities

Expand / Collapse all

Published

09.02.2026 08:38

Severity

9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness

Weak Password Recovery Mechanism for Forgotten Password (CWE-640)

References

cve.org | nvd.nist.gov

Mitigation

The certificate is renewed by adjusting the hostname to an own customer-specific, so it does not contain the serial number.

Remediation

The password-reset mechanism will be updated in a future version.
When using automation components, make sure that no unauthorized access can take place. In addition, measures should be taken to ensure that the components do not have direct access to Internet resources and that they cannot be accessed from insecure networks. Use available security measures such as authentication and authorization groups.

Acknowledgments

ifm electronic GmbH thanks the following parties for their efforts:

CERT@VDE for coordination (see https://certvde.com )
Aimon Dawson for reporting

Revision History

Version	Date	Summary
1.0.0	12.12.2022 12:00	Initial revision.
2.0.0	06.01.2026 12:00	fixed version range, added Hardware with relationship, changed vulnerability title to CVE description