Endress Meac300-fnade4 Firmware — known CVE vulnerabilities
Every CVE whose affected-product data names Endress Meac300-fnade4 Firmware, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (19)
CVE-2025-1708 — CVSS 8.6 (high): The application is vulnerable to SQL injection attacks. An attacker is able to dump the PostgreSQL database and read its content.
CVE-2025-27461 — CVSS 7.6 (high): During startup, the device automatically logs in the EPC2 Windows user without requesting a password.
CVE-2025-27460 — CVSS 7.6 (high): The hard drives of the device are not encrypted using a full volume encryption feature such as BitLocker. This allows an attacker with…
CVE-2025-1710 — CVSS 7.5 (high): The maxView Storage Manager does not implement sufficient measures to prevent multiple failed authentication attempts within a short time…
CVE-2025-27456 — CVSS 7.5 (high): The SMB server's login mechanism does not implement sufficient measures to prevent multiple failed authentication attempts within a short…
CVE-2025-27449 — CVSS 7.5 (high): The MEAC300-FNADE4 does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame…
CVE-2025-27447 — CVSS 7.4 (high): The web application is susceptible to cross-site-scripting attacks. An attacker can create a prepared URL, which injects JavaScript code…
CVE-2025-27448 — CVSS 6.8 (medium): The web application is susceptible to cross-site-scripting attacks. An attacker who can create new dashboards can inject JavaScript code…
CVE-2025-1709 — CVSS 6.5 (medium): Several credentials for the local PostgreSQL database are stored in plain text (partially base64 encoded).
CVE-2025-27458 — CVSS 6.5 (medium): The VNC authentication mechanism bases on a challenge-response system where both server and client use the same password for encryption…
CVE-2025-27450 — CVSS 6.5 (medium): The Secure attribute is missing on multiple cookies provided by the MEAC300-FNADE4. An attacker can trick a user to establish an…
CVE-2025-27457 — CVSS 6.5 (medium): All communication between the VNC server and client(s) is unencrypted. This allows an attacker to intercept the traffic and obtain…
CVE-2025-27452 — CVSS 5.3 (medium): The configuration of the Apache httpd webserver which serves the MEAC300-FNADE4 web application, is partly insecure. There are modules…
CVE-2025-27451 — CVSS 5.3 (medium): For failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect…
CVE-2025-27453 — CVSS 5.3 (medium): The HttpOnly flag is set to false on the PHPSESSION cookie. Therefore, the cookie can be accessed by other sources such as JavaScript.
CVE-2025-27459 — CVSS 4.4 (medium): The VNC application stores its passwords encrypted within the registry but uses DES for encryption. As DES is broken, the original…
CVE-2025-27454 — CVSS 4.3 (medium): The application is vulnerable to cross-site request forgery. An attacker can trick a valid, logged in user into submitting a web request…
CVE-2025-1711 — CVSS 4.3 (medium): Multiple services of the DUT as well as different scopes of the same service reuse the same credentials.
CVE-2025-27455 — CVSS 4.3 (medium): The web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to trick a…