Summary
A vulnerability in the devices UMG 96-PA and UMG 96-PA-MID+ enables an unauthenticated remote attacker to cause the device to become unavailable.
Impact
When exploiting the vulnerability the device becomes unavailable. It will not continue to work as expected including not responding to further requests. Additionally it's measurement functionalities stop working effectively making the device unavailable until the next restart.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| 1761.8057 | UMG 96-PA | Firmware <3.54 |
| UMG 96-PA-MID+ | Firmware <3.54 |
Vulnerabilities
Expand / Collapse allAn unauthenticated remote attacker can send a specially crafted Modbus read command to the device which leads to a denial of service.
Mitigation
It is strongly advised to operate the device in a closed network protected by a suitable firewall. Network access to the device should be limited to only enable necessary components to access it. Special focus should be on the Modbus protocol as the core communication protocol of the device.
Remediation
It is strongly advised to update to the newest version. The vulnerability is fixed in version 3.54.
Acknowledgments
Janitza electronics GmbH thanks the following parties for their efforts:
- CERTVDE for Coordination (see https://certvde.com/en/ )
- Milence - Commercial Vehicle Charging Europe B.V. for Reporting
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 24.11.2025 13:00 | Initial release. |