CVE-2021-34543
Description
Solar-Log 500 web admin server before 2.8.2 Build 52 has no authentication, allowing remote admin access and configuration changes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Solar-Log 500 web admin server before 2.8.2 Build 52 has no authentication, allowing remote admin access and configuration changes.
Vulnerability
The web administration server in Solar-Log 500 prior to version 2.8.2 Build 52 does not require authentication. This vulnerability allows any remote attacker to connect to the server and gain administrative privileges. Affected versions include all Solar-Log 500 firmware before 2.8.2 Build 52 [1].
Exploitation
An attacker can simply access the /lan.html page of the Solar-Log 500 web server without any authentication, thereby gaining administrative access to modify configuration files and change system status [1]. No credentials, user interaction, or special network position is required beyond network connectivity to the device.
Impact
Successful exploitation grants the attacker full administrative privileges, enabling modification of configuration files and alteration of system status. This could lead to disruption of solar monitoring operations, data integrity loss, and potential unauthorized control of the device.
Mitigation
The vulnerability is fixed in firmware version 3.0.0-60 released on 11.10.2013 for Solar-Log 200, 500, and 1000 models. For models SL 250, 300, 1200, 2000, SL 50 Gateway, and SL Base, no fix is available [1]. Users of affected models should upgrade to the patched firmware if supported, or implement network access controls to restrict administration interface exposure.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Solar-Log/Solar-Log 500description
- Range: <2.8.2 Build 52
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The web administration server does not require authentication, allowing unauthenticated access to administrative interfaces."
Attack vector
An attacker with network connectivity to the Solar-Log 500 device can simply navigate to the web administration server's pages (e.g., /lan.html) without providing any credentials [ref_id=1]. The server does not enforce authentication, so the attacker immediately gains administrative privileges. This allows modification of configuration files and changing the system status [ref_id=1]. The device is discoverable via Shodan using the filter "Server: IPC@CHIP" [ref_id=1].
Affected code
The web administration server for Solar-Log 500 prior to 2.8.2 Build 52 does not require authentication [ref_id=1]. The specific endpoint /lan.html is cited as accessible without authentication [ref_id=1]. No source code or patch files are provided in the bundle.
What the fix does
The advisory states the fix is included in Solar-Log 500 firmware version 2.8.2 Build 52 (and later 3.0.0-60) [ref_id=1]. No patch diff is provided in the bundle, but the remediation requires the vendor to implement authentication checks on the web administration server endpoints. The fix ensures that administrative actions require valid credentials before granting access.
Preconditions
- networkAttacker must have network access to the Solar-Log 500 device's web administration server.
Reproduction
Navigate to http://<target-ip>/lan.html in a web browser. No authentication is required, and administrative access is granted immediately [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.