CVE-2020-28216

Vulnerability

The Easergy T300 running firmware version 2.7 and earlier transmits sensitive data without encryption over HTTP (CWE-311) [1]. This is one of several findings reported in the CISA advisory ICSA-20-343-03; the same advisory also notes missing authentication for critical functions (CVE-2020-7561) and missing authorization (CVE-2020-28215), but the specific vulnerability covered here is the lack of encryption [1]. No special configuration is required to reach the affected code path; HTTP traffic is the default communication method.

Exploitation

An unauthenticated attacker with network access to the affected device can passively monitor HTTP traffic [1]. No authentication or user interaction is required. The attacker simply positions themselves on the network path between the Easergy T300 and its management peers to capture unencrypted HTTP packets.

Impact

Successful exploitation allows the attacker to read sensitive data transmitted over the network, leading to information disclosure [1]. If the captured traffic contains credentials or other privileged information, the attacker may escalate access to internal systems, potentially resulting in denial of service or remote code execution when combined with the other missing authentication and authorization vulnerabilities reported in the advisory [1].

Mitigation

Schneider Electric has released firmware version 2.8 to address this vulnerability (CVE-2020-28216). Users should update to firmware version 2.8 or later [1]. As a workaround, the advisory recommends network segmentation and restricting access to the affected product’s network interface [1]. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.