Use of Hard-coded Credentials in UWP3.0 allows SuperUser authentication bypass in Car Park Server.

Vulnerability

Carlo Gavazzi UWP 3.0 (multiple versions) and CPY Car Park Server version 2.8.3 ship with hard-coded credentials embedded in the device firmware [1]. These credentials are not altered during initial setup, allowing a remote, unauthenticated attacker to authenticate as SuperUser via SSH, HTTPS, or the embedded web interface without any additional configuration requirements [1].

Exploitation

An attacker with network connectivity to the device can simply supply the hard-coded username and password (undisclosed in the advisory) to gain administrative access [1]. No authentication, user interaction, or prior knowledge is required beyond the device IP address. The attacker can leverage standard remote management protocols or the web interface to authenticate [1].

Impact

Successful exploitation grants the attacker SuperUser privileges on the affected device [1]. This yields full control over the controller or server, including ability to read/modify configuration, firmware, and all operational data, potentially impacting availability, integrity, and confidentiality of the connected industrial control system [1].

Mitigation

Carlo Gavazzi has released updated firmware for UWP 3.0 and CPY Car Park Server that removes the hard-coded credentials [1]. Users should update to the latest version as specified in VDE-2022-029 [1]. No effective workaround other than restricting network access via firewall rules is available for unpatched devices [1].