Summary
An unauthenticated remote attacker can exploit several vulnerabilities in Janitza UMG 96RM-E devices to ultimately gain full system access and remote code execution.
Impact
These vulnerabilities in combination allow an unauthenticated remote attacker to fully compromise the system including remote code execution. Further details on each separate vulnerability can be found under vulnerability details.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| 5222063 | UMG 96RM-E | Firmware <=3.13, Firmware 3.13 |
| 5222062 | UMG 96RM-E | Firmware 3.13, Firmware <=3.13 |
Vulnerabilities
Expand / Collapse allAn unauthenticated remote attacker can perform a command injection via Modbus-TCP or Modbus-RTU to gain read and write access on the affected device.
An unauthenticated remote attacker who tricks a user to upload a manipulated HTML file can get access to sensitive information on the device. This is a result of incorrect permission assignment for the web server.
An unauthenticated remote attacker may use hardcodes credentials to get access to the previously activated FTP Server with limited read and write privileges.
An unauthenticated remote attacker can use firmware images to extract password hashes and brute force plaintext passwords of accounts with limited access.
Remediation
It is strongly advised to update to the newest version. The vulnerabilities are fixed in version 3.14.
Acknowledgments
Janitza electronics GmbH thanks the following parties for their efforts:
- CERT@VDE for Coordination (see https://certvde.com/en/ )
- Deutsche Telekom Security (DT Security) for Reporting (see https://github.security.telekom.com/ )
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 10.03.2026 08:00 | Initial Revision |