Ovarro Tbox Ms-cpu32-s2 Firmware — known CVE vulnerabilities
Every CVE whose affected-product data names Ovarro Tbox Ms-cpu32-s2 Firmware, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (12)
CVE-2021-22646 — CVSS 8.8 (high): The “ipk” package containing the configuration created by TWinSoft can be uploaded, extracted, and executed in Ovarro TBox, allowing…
CVE-2021-22648 — CVSS 8.8 (high): Ovarro TBox proprietary Modbus file access functions allow attackers to read, alter, or delete the configuration file.
CVE-2021-22640 — CVSS 7.5 (high): An attacker can decrypt the Ovarro TBox login password by communication capture and brute force attacks.
CVE-2021-22642 — CVSS 7.5 (high): An attacker could use specially crafted invalid Modbus frames to crash the Ovarro TBox system.
CVE-2021-22650 — CVSS 7.5 (high): An attacker may use TWinSoft and a malicious source project file (TPG) to extract files on machine executing Ovarro TWinSoft, which could…
CVE-2023-36609 — CVSS 7.2 (high): The affected TBox RTUs run OpenVPN with root privileges and can run user defined configuration scripts. An attacker could set up a local…
CVE-2023-36611 — CVSS 6.5 (medium): The affected TBox RTUs allow low privilege users to access software security tokens of higher privilege. This could allow an attacker with…
CVE-2023-3395 — CVSS 6.5 (medium): All versions of the TWinSoft Configuration Tool store encrypted passwords as plaintext in memory. An attacker with access to system…
CVE-2023-36608 — CVSS 6.5 (medium): The affected TBox RTUs store hashed passwords using MD5 encryption, which is an insecure encryption algorithm.
CVE-2023-36610 — CVSS 5.9 (medium): The affected TBox RTUs generate software security tokens using insufficient entropy. The random seed used to generate the software…
CVE-2023-36607 — CVSS 5.3 (medium): The affected TBox RTUs are missing authorization for running some API commands. An attacker running these commands could reveal sensitive…