Unrated severityNVD Advisory· Published Mar 18, 2022· Updated Apr 16, 2025
Rockwell Automation ISaGRAF5 Runtime Use of Hard-coded Cryptographic Key
CVE-2020-25180
Description
Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x includes the functionality of setting a password that is required to execute privileged commands. The password value passed to ISaGRAF Runtime is the result of encryption performed with a fixed key value using the tiny encryption algorithm (TEA) on an entered or saved password. A remote, unauthenticated attacker could pass their own encrypted password to the ISaGRAF 5 Runtime, which may result in information disclosure on the device.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
24.x, 5.x+ 1 more
- (no CPE)range: 4.x, 5.x
- (no CPE)range: 4.x
Patches
Vulnerability mechanics
References
4- download.schneider-electric.com/filesmitrex_refsource_CONFIRM
- rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131699mitrex_refsource_CONFIRM
- www.cisa.gov/uscert/ics/advisories/icsa-20-280-01mitrex_refsource_CONFIRM
- www.xylem.com/siteassets/about-xylem/cybersecurity/advisories/xylem-multismart-rockwell-isagraf.pdfmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.