VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 23, 2021· Updated Aug 3, 2024

CVE-2021-3252

CVE-2021-3252

Description

KACO New Energy XP100U Up to XP-JAVA 2.0 is affected by incorrect access control. Credentials will always be returned in plain-text from the local server during the KACO XP100U authentication process, regardless of whatever passwords have been provided, which leads to an information disclosure vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

Root cause

"Hard-coded credentials present in the client-side code allow anyone who inspects the client to obtain plain-text passwords."

Attack vector

An attacker can remotely exploit the hard-coded password by extracting credentials from the client-side code, which is easily accessible [ref_id=1]. The advisory notes the vulnerability is remotely exploitable and could lead to remote code execution [ref_id=1]. The attacker does not need valid authentication because the credentials are embedded in the client software itself.

Affected code

The advisory [ref_id=1] states that "the passwords for KACO HMI products are present in the code for the client that allows users to control the HMI." No specific file paths or function names are provided in the bundle.

What the fix does

The bundle does not include a patch. The advisory [ref_id=1] states that ICS-CERT is coordinating with the vendor to identify mitigations and will notify users when a patch or other mitigating solution becomes available. No remediation code or vendor fix is published in the provided materials.

Preconditions

  • networkAttacker must have network access to the KACO HMI device
  • authNo authentication required; credentials are hard-coded in the client code

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.