CVE-2020-10920
Description
This vulnerability allows remote attackers to execute arbitrary code on affected installations of C-MORE HMI EA9 Firmware version 6.52 touch screen panels. Authentication is not required to exploit this vulnerability. The specific flaw exists within the control service, which listens on TCP port 9999 by default. The issue results from the lack of authentication prior to allowing alterations to the system configuration. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-10493.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
C-MORE HMI EA9 firmware 6.52's control service on TCP port 9999 lacks authentication, allowing unauthenticated remote attackers to execute arbitrary code.
Vulnerability
The vulnerability resides in the control service of C-MORE HMI EA9 touch screen panels running firmware version 6.52. The control service listens on TCP port 9999 by default and fails to require any authentication before allowing changes to the system configuration. This missing authentication for a critical function enables an unauthenticated attacker to modify the device configuration remotely [1].
Exploitation
An attacker can exploit this flaw without any authentication or prior access to the device. By sending crafted network packets to the control service on TCP port 9999, the attacker can alter system configuration parameters. Since no credentials or user interaction are required, the exploitation is straightforward and can be conducted over the network from any remote location [1].
Impact
Successful exploitation grants the attacker the ability to execute arbitrary code in the context of the affected device. This can lead to full compromise of the HMI panel, including disclosure of sensitive information, modification of system settings, and potential denial of service. The CVSS score of 9.8 reflects the critical impact on confidentiality, integrity, and availability [1].
Mitigation
As of the publication date (2020-07-23), no official patch or firmware update addressing this vulnerability had been released. The vendor has not provided a workaround. Operators are advised to isolate affected devices from untrusted networks, restrict access to TCP port 9999 using firewalls, and monitor for any updates from C-MORE. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- C-MORE/HMI EA9v5Range: Firmware version 6.52
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- www.zerodayinitiative.com/advisories/ZDI-20-808/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.