CVE-2020-10918

Vulnerability

C-MORE HMI EA9 touch screen panels running firmware version 6.52 contain an authentication bypass vulnerability. The specific flaw exists within the authentication mechanism; the device fails to properly authenticate requests that should require authentication, effectively treating them as if they are post-authentication requests [1]. This allows any remote attacker to access resources that are normally protected.

Exploitation

An attacker does not need any authentication or prior access; the vulnerability is exploitable remotely with network access to the affected device [1]. No user interaction or special privileges are required. By sending crafted requests to the HMI, an attacker can bypass the authentication checks and interact with the device's protected interfaces.

Impact

Successful exploitation allows an attacker to escalate privileges and access resources normally protected from unauthenticated users. This can lead to unauthorized information disclosure, as the CVSS vector indicates high confidentiality impact. The attacker gains the ability to read sensitive data or perform actions reserved for authenticated operators without proper authorization [1].

Mitigation

C-MORE released firmware version 6.6 to fix this issue; the fix is included in that version and later releases [1]. Users should update their HMI EA9 panels to version 6.6 or newer. No workarounds are documented. The vulnerability was disclosed via the Zero Day Initiative (ZDI-20-805) [1]. It is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.