VDE-2024-028
Last update
02/28/2025 12:00
Published at
05/06/2024 12:00
Vendor(s)
ifm electronic GmbH
External ID
VDE-2024-028
CSAF Document
Summary
moneo \"Forgot Password\" function has a vulnerability which allows gaining privileged access.
Impact
In a moneo appliance with no mailserver configured, an unauthorized attacker can reset a password to the new user default value.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| Microsoft Windows | moneo <1.13.5 | |
| QHA210 | moneo <1.13.5 | |
| QHA300 | moneo <1.13.5 | |
| QVA200 | moneo <1.13.5 |
Vulnerabilities
Expand / Collapse all
Published
09/24/2025 12:42
Severity
Weakness
Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
Summary
An unauthenticated remote attacker can change the admin password in a moneo appliance due to weak password recovery mechanism.
References
Mitigation
The correct configuration of a mail server prevents the exploitation of the vulnerability.
Remediation
Update to moneo version 1.13.5 or later.
Acknowledgments
ifm electronic GmbH thanks the following parties for their efforts:
- CERT@VDE for coordination (see https://certvde.com )
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 05/06/2024 12:00 | initial revision |
| 2 | 05/24/2024 12:00 | final draft |
| 3 | 05/27/2024 12:00 | Update |
| 4 | 06/03/2024 11:00 | Update after review |
| 5 | 10/30/2024 12:00 | no security relevant changes changed URLs from cert-vde.com to certvde.com revamped product tree |
| 6 | 11/06/2024 12:27 | Fix: added self-reference |
| 7 | 01/28/2025 12:00 | Update: changed affected products group |
| 8 | 02/03/2025 12:00 | fix TLP to white |
| 9 | 02/28/2025 12:00 | fixed: * initial release date * spacing in version ranges * reference category |