Westermo
Products
13- 8 CVEs
- 5 CVEs
- 3 CVEs
- 3 CVEs
- 3 CVEs
- 3 CVEs
- 3 CVEs
- 3 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
Recent CVEs
25| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-36081 | Cri | 0.64 | 9.8 | 0.01 | May 19, 2024 | Westermo EDW-100 devices through 2024-05-03 allow an unauthenticated user to download a configuration file containing a cleartext password. NOTE: this is a serial-to-Ethernet converter that should not be placed at the edge of the network. | ||
| CVE-2024-36080 | Cri | 0.64 | 9.8 | 0.01 | May 19, 2024 | Westermo EDW-100 devices through 2024-05-03 have a hidden root user account with a hardcoded password that cannot be changed. NOTE: this is a serial-to-Ethernet converter that should not be placed at the edge of the network. | ||
| CVE-2015-7923 | Cri | 0.59 | 9.0 | 0.01 | Jan 30, 2016 | Westermo WeOS before 4.19.0 uses the same SSL private key across different customers' installations, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by leveraging knowledge of a key. | ||
| CVE-2017-12703 | Hig | 0.57 | 8.8 | 0.01 | Aug 25, 2017 | A Cross-Site Request Forgery (CSRF) issue was discovered in Westermo MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The application does not verify whether a request was intentionally provided by the user, making it possible… | ||
| CVE-2016-5816 | Hig | 0.49 | 7.5 | 0.02 | Aug 25, 2017 | A Use of Hard-Coded Cryptographic Key issue was discovered in MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The device utilizes hard-coded private cryptographic keys that may allow an attacker to decrypt traffic from any… | ||
| CVE-2025-54319 | Med | 0.41 | 6.3 | 0.00 | Jul 20, 2025 | An issue was discovered in Westermo WeOS 5 (5.24 through 5.24.4). A threat actor potentially can gain unauthorized access to sensitive information via system logging information (syslog verbose logging that includes credentials). | ||
| CVE-2025-46419 | Med | 0.38 | 5.9 | 0.00 | Apr 24, 2025 | Westermo WeOS 5 through 5.23.0 allows a reboot via a malformed ESP packet. | ||
| CVE-2017-12709 | Med | 0.34 | 5.3 | 0.00 | Aug 25, 2017 | A Use of Hard-Coded Credentials issue was discovered in MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The device utilizes hard-coded credentials, which could allow for unauthorized local low-privileged access to the device. | ||
| CVE-2020-12503 | 0.01 | — | 0.23 | Oct 15, 2020 | Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT (all versions) and ICRL-M-8RJ45/4SFP-G-DIN, ICRL-M-16RJ45/4CP-G-DIN FW 1.2.3… | |||
| CVE-2023-40143 | 0.00 | — | 0.00 | Feb 6, 2024 | An attacker with access to the Westermo Lynx web application that has the vulnerable software could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the "forward.0.domain" parameter. | |||
| CVE-2023-45735 | 0.00 | — | 0.01 | Feb 6, 2024 | A potential attacker with access to the Westermo Lynx device may be able to execute malicious code that could affect the correct functioning of the device. | |||
| CVE-2023-45222 | 0.00 | — | 0.00 | Feb 6, 2024 | An attacker with access to the web application that has the vulnerable software could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the "autorefresh" parameter. | |||
| CVE-2023-45213 | 0.00 | — | 0.00 | Feb 6, 2024 | A potential attacker with access to the Westermo Lynx device would be able to execute malicious code that could affect the correct functioning of the device. | |||
| CVE-2023-42765 | 0.00 | — | 0.00 | Feb 6, 2024 | An attacker with access to the vulnerable software could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the "username" parameter in the SNMP configuration. | |||
| CVE-2023-40544 | 0.00 | — | 0.00 | Feb 6, 2024 | An attacker with access to the network where the affected devices are located could maliciously actions to obtain, via a sniffer, sensitive information exchanged via TCP communications. | |||
| CVE-2023-45227 | 0.00 | — | 0.00 | Feb 6, 2024 | An attacker with access to the web application with vulnerable software could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the "dns.0.server" parameter. | |||
| CVE-2023-38579 | 0.00 | — | 0.00 | Feb 6, 2024 | The cross-site request forgery token in the request may be predictable or easily guessable allowing attackers to craft a malicious request, which could be triggered by a victim unknowingly. In a successful CSRF attack, the attacker could lead the victim user to… | |||
| CVE-2020-25155 | 0.00 | — | 0.01 | Nov 13, 2020 | The affected product transmits unencrypted sensitive information, which may allow an attacker to access this information on the NIO 50 (all versions). | |||
| CVE-2020-12504 | 0.00 | — | 0.03 | Oct 15, 2020 | Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT (all versions) and ICRL-M-8RJ45/4SFP-G-DIN, ICRL-M-16RJ45/4CP-G-DIN FW 1.2.3… | |||
| CVE-2020-12502 | 0.00 | — | 0.01 | Oct 15, 2020 | Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT (all versions) and ICRL-M-8RJ45/4SFP-G-DIN, ICRL-M-16RJ45/4CP-G-DIN FW 1.2.3… |
- risk 0.64cvss 9.8epss 0.01
Westermo EDW-100 devices through 2024-05-03 allow an unauthenticated user to download a configuration file containing a cleartext password. NOTE: this is a serial-to-Ethernet converter that should not be placed at the edge of the network.
- risk 0.64cvss 9.8epss 0.01
Westermo EDW-100 devices through 2024-05-03 have a hidden root user account with a hardcoded password that cannot be changed. NOTE: this is a serial-to-Ethernet converter that should not be placed at the edge of the network.
- risk 0.59cvss 9.0epss 0.01
Westermo WeOS before 4.19.0 uses the same SSL private key across different customers' installations, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by leveraging knowledge of a key.
- risk 0.57cvss 8.8epss 0.01
A Cross-Site Request Forgery (CSRF) issue was discovered in Westermo MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The application does not verify whether a request was intentionally provided by the user, making it possible…
- risk 0.49cvss 7.5epss 0.02
A Use of Hard-Coded Cryptographic Key issue was discovered in MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The device utilizes hard-coded private cryptographic keys that may allow an attacker to decrypt traffic from any…
- risk 0.41cvss 6.3epss 0.00
An issue was discovered in Westermo WeOS 5 (5.24 through 5.24.4). A threat actor potentially can gain unauthorized access to sensitive information via system logging information (syslog verbose logging that includes credentials).
- risk 0.38cvss 5.9epss 0.00
Westermo WeOS 5 through 5.23.0 allows a reboot via a malformed ESP packet.
- risk 0.34cvss 5.3epss 0.00
A Use of Hard-Coded Credentials issue was discovered in MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The device utilizes hard-coded credentials, which could allow for unauthorized local low-privileged access to the device.
- CVE-2020-12503Oct 15, 2020risk 0.01cvss —epss 0.23
Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT (all versions) and ICRL-M-8RJ45/4SFP-G-DIN, ICRL-M-16RJ45/4CP-G-DIN FW 1.2.3…
- CVE-2023-40143Feb 6, 2024risk 0.00cvss —epss 0.00
An attacker with access to the Westermo Lynx web application that has the vulnerable software could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the "forward.0.domain" parameter.
- CVE-2023-45735Feb 6, 2024risk 0.00cvss —epss 0.01
A potential attacker with access to the Westermo Lynx device may be able to execute malicious code that could affect the correct functioning of the device.
- CVE-2023-45222Feb 6, 2024risk 0.00cvss —epss 0.00
An attacker with access to the web application that has the vulnerable software could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the "autorefresh" parameter.
- CVE-2023-45213Feb 6, 2024risk 0.00cvss —epss 0.00
A potential attacker with access to the Westermo Lynx device would be able to execute malicious code that could affect the correct functioning of the device.
- CVE-2023-42765Feb 6, 2024risk 0.00cvss —epss 0.00
An attacker with access to the vulnerable software could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the "username" parameter in the SNMP configuration.
- CVE-2023-40544Feb 6, 2024risk 0.00cvss —epss 0.00
An attacker with access to the network where the affected devices are located could maliciously actions to obtain, via a sniffer, sensitive information exchanged via TCP communications.
- CVE-2023-45227Feb 6, 2024risk 0.00cvss —epss 0.00
An attacker with access to the web application with vulnerable software could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the "dns.0.server" parameter.
- CVE-2023-38579Feb 6, 2024risk 0.00cvss —epss 0.00
The cross-site request forgery token in the request may be predictable or easily guessable allowing attackers to craft a malicious request, which could be triggered by a victim unknowingly. In a successful CSRF attack, the attacker could lead the victim user to…
- CVE-2020-25155Nov 13, 2020risk 0.00cvss —epss 0.01
The affected product transmits unencrypted sensitive information, which may allow an attacker to access this information on the NIO 50 (all versions).
- CVE-2020-12504Oct 15, 2020risk 0.00cvss —epss 0.03
Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT (all versions) and ICRL-M-8RJ45/4SFP-G-DIN, ICRL-M-16RJ45/4CP-G-DIN FW 1.2.3…
- CVE-2020-12502Oct 15, 2020risk 0.00cvss —epss 0.01
Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT (all versions) and ICRL-M-8RJ45/4SFP-G-DIN, ICRL-M-16RJ45/4CP-G-DIN FW 1.2.3…