IFM: weak password recovery vulnerability in moneo appliance

VDE-2022-050

Last update

12/12/2022 12:00

Published at

12/12/2022 12:00

Vendor(s)

ifm electronic GmbH

External ID

VDE-2022-050

CSAF Document

Download

Summary

An unauthenticated remote attacker could reset the administrator's password with information from the default, self-signed certificate.

Impact

An unathenticated attacker can remotely reset the administrator password.

Affected Product(s)

Model no.	Product name	Affected versions
QHA210	moneo appliance <=1.9.3	moneo appliance <=1.9.3

Vulnerabilities

Expand / Collapse all

Published

09/22/2025 14:58

Severity

9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness

Weak Password Recovery Mechanism for Forgotten Password (CWE-640)

Summary

In IFM Moneo Appliance with version up to 1.9.3 an unauthenticated remote attacker can reset the administrator password by only supplying the serial number and thus gain full control of the device.

References

cve.org | nvd.nist.gov

Mitigation

The certificate is renewed by adjusting the hostname to an own customer-specific, so it does not contain the serial number.

Remediation

The password-reset mechanism will be updated in a future version.
When using automation components, make sure that no unauthorized access can take place. In addition, measures should be taken to ensure that the components do not have direct access to Internet resources and that they cannot be accessed from insecure networks. Use available security measures such as authentication and authorization groups.

Revision History

Version	Date	Summary
1	12/12/2022 12:00	Initial revision.

IFM: weak password recovery vulnerability in moneo appliance

Summary

Impact

Affected Product(s)

Vulnerabilities

CVE-2022-3485 9.8

Mitigation

Remediation

Revision History