CVE-2021-34544

Vulnerability

Solar-Log 500 devices running firmware versions prior to 2.8.2 Build 52 (23.04.2013) store passwords in cleartext on the web interface pages /export.html, email.html, and sms.html [1]. These pages display FTP, SMTP, and SMS service credentials without encryption. The vulnerability affects Solar-Log 500; models SL 200 and SL 1000 are also impacted but receive a fix in later firmware. Models SL 250, 300, 1200, 2000, SL 50 Gateway, and SL Base do not have a published fix and may be similarly vulnerable if they expose the same pages.

Exploitation

An attacker with network access to the device's web server can browse to the configuration pages (e.g., http:///export.html) and read the plaintext passwords [1]. No authentication is required if the pages are accessible without login; the Exploit-DB proof of concept confirms that simply navigating to these URLs reveals the credentials. The attacker must be on the same local network or have direct access to the device's IP address.

Impact

Successful exploitation allows an attacker to obtain cleartext passwords for FTP, SMTP, and SMS services configured on the device [1]. This could lead to unauthorized access to external services, data exfiltration via FTP, or abuse of SMTP for spam. The device itself is not compromised beyond credential disclosure, but the exposed credentials can be used to attack other systems.

Mitigation

The vulnerability is fixed in firmware version 3.0.0-60 (11.10.2013) for Solar-Log models 200, 500, and 1000 [1]. Users should update to this version or later. For models SL 250, 300, 1200, 2000, SL 50 Gateway, and SL Base, no fix is available; administrators should restrict network access to the device's web interface and consider replacing the device if sensitive services are used. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.