VDE-2024-028
Last update
28.02.2025 12:00
Published at
06.05.2024 12:00
Vendor(s)
ifm electronic GmbH
External ID
VDE-2024-028
CSAF Document
Summary
moneo \"Forgot Password\" function has a vulnerability which allows gaining privileged access.
Impact
In a moneo appliance with no mailserver configured, an unauthorized attacker can reset a password to the new user default value.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| Microsoft Windows | moneo <1.13.5 | |
| QHA210 | moneo <1.13.5 | |
| QHA300 | moneo <1.13.5 | |
| QVA200 | moneo <1.13.5 |
Vulnerabilities
Expand / Collapse all
Published
24.09.2025 12:42
Severity
Weakness
Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
Summary
An unauthenticated remote attacker can change the admin password in a moneo appliance due to weak password recovery mechanism.
References
Mitigation
The correct configuration of a mail server prevents the exploitation of the vulnerability.
Remediation
Update to moneo version 1.13.5 or later.
Acknowledgments
ifm electronic GmbH thanks the following parties for their efforts:
- CERT@VDE for coordination (see https://certvde.com )
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 06.05.2024 12:00 | initial revision |
| 2 | 24.05.2024 12:00 | final draft |
| 3 | 27.05.2024 12:00 | Update |
| 4 | 03.06.2024 11:00 | Update after review |
| 5 | 30.10.2024 12:00 | no security relevant changes changed URLs from cert-vde.com to certvde.com revamped product tree |
| 6 | 06.11.2024 12:27 | Fix: added self-reference |
| 7 | 28.01.2025 12:00 | Update: changed affected products group |
| 8 | 03.02.2025 12:00 | fix TLP to white |
| 9 | 28.02.2025 12:00 | fixed: * initial release date * spacing in version ranges * reference category |