VDE-2024-028
Last update
15.01.2026 12:00
Published at
06.05.2024 12:00
Vendor(s)
ifm electronic GmbH
External ID
VDE-2024-028
CSAF Document
Summary
moneo \"Forgot Password\" function has a vulnerability which allows gaining privileged access.
Impact
In a moneo appliance with no mailserver configured, an unauthorized attacker can reset a password to the new user default value.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| Microsoft Windows | moneo <1.13.5 | |
| QHA210 | moneo <1.13.5 | |
| QHA300 | moneo <1.13.5 | |
| QVA200 | moneo <1.13.5 |
Vulnerabilities
Expand / Collapse all
Published
09.02.2026 08:37
Severity
Weakness
Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
Summary
An unauthenticated remote attacker can change the admin password in a moneo appliance due to weak password recovery mechanism.
References
Mitigation
The correct configuration of a mail server prevents the exploitation of the vulnerability.
Remediation
Update to moneo version 1.13.5 or later.
Acknowledgments
ifm electronic GmbH thanks the following parties for their efforts:
- CERT@VDE for coordination (see https://certvde.com )
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 06.05.2024 12:00 | initial revision |
| 2.0.0 | 24.05.2024 12:00 | final draft |
| 3.0.0 | 27.05.2024 12:00 | Update |
| 4.0.0 | 03.06.2024 11:00 | Update after review |
| 5.0.0 | 30.10.2024 12:00 | no security relevant changes changed URLs from cert-vde.com to certvde.com revamped product tree |
| 6.0.0 | 06.11.2024 12:27 | Fix: added self-reference |
| 7.0.0 | 28.01.2025 12:00 | Update: changed affected products group |
| 8.0.0 | 03.02.2025 12:00 | fix TLP to white |
| 9.0.0 | 28.02.2025 12:00 | fixed: * initial release date * spacing in version ranges * reference category |
| 10.0.0 | 06.01.2026 12:00 | changed Windows form product name to product family and fixed the version range, added CPEs |
| 11.0.0 | 15.01.2026 12:00 | add cpe product identifier to Hardware and Software |