CVE-2021-3252 – CVE-2021-3252 is an authentication bypass vulne... (How to Fix)

Q: What is the severity of CVE-2021-3252?

CVE-2021-3252 has a CVSS score of 7.5 (HIGH). CVE-2021-3252 is an authentication bypass vulnerability in KACO New Energy XP100U devices where the local server always returns valid credentials in plain text regardless of input password. This allows attackers to obtain legitimate login credentials and gain unauthorized access to the Human-Machine Interface (HMI). Organizations using KACO XP100U devices with XP-JAVA software up to version 2.0 are affected.

📋 TL;DR

CVE-2021-3252 is an authentication bypass vulnerability in KACO New Energy XP100U devices where the local server always returns valid credentials in plain text regardless of input password. This allows attackers to obtain legitimate login credentials and gain unauthorized access to the Human-Machine Interface (HMI). Organizations using KACO XP100U devices with XP-JAVA software up to version 2.0 are affected.

💻 Affected Systems

Products:

KACO New Energy XP100U

Versions: Up to XP-JAVA 2.0

Operating Systems: Embedded/Proprietary

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the authentication mechanism of the local server component.

📦 What is this software?

Xp100u Firmware by Kaco Newenergy

View all CVEs affecting Xp100u Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full administrative access to the HMI, potentially allowing them to manipulate industrial control systems, disrupt energy production, or cause physical damage to equipment.

🟠

Likely Case

Unauthorized access to the HMI interface leading to information disclosure, configuration changes, or disruption of monitoring capabilities.

🟢

If Mitigated

Limited impact if devices are properly segmented and access is restricted to authorized personnel only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the device's authentication endpoint. Public blog posts demonstrate the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-15-224-01

Restart Required: No

Instructions:

No official patch available. Follow workarounds and mitigation steps.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate KACO XP100U devices from untrusted networks and restrict access to authorized IP addresses only.

Access Control Lists

all

Implement firewall rules to block unauthorized access to the device's authentication endpoints.

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected devices from untrusted networks
Monitor network traffic for unauthorized authentication attempts to the device endpoints

🔍 How to Verify

Check if Vulnerable:

Test authentication endpoint by sending invalid credentials and checking if valid credentials are returned in plain text.

Check Version:

Check device firmware/software version through HMI interface or device documentation.

Verify Fix Applied:

Verify that authentication endpoint no longer returns credentials when invalid passwords are provided.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts followed by successful access
Authentication requests from unusual IP addresses

Network Indicators:

HTTP requests to authentication endpoints from unauthorized sources
Plain text credential transmission in network traffic

SIEM Query:

source_ip IN (unauthorized_ips) AND destination_port=80 AND uri_path CONTAINS 'auth' OR 'login'

📊 Metadata

CVE ID: CVE-2021-3252

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-522

Published: February 23, 2021

Last Updated: November 21, 2024

🔗 References

https://tiger-team-1337.blogspot.com/2021/01/kaco-xp100u-hmi-credential-leak.html Exploit,Technical Description,Third Party Advisory
https://twitter.com/Kevin2600/status/1351189347501023238 Third Party Advisory
https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-15-224-01 Third Party Advisory,US Government Resource
https://tiger-team-1337.blogspot.com/2021/01/kaco-xp100u-hmi-credential-leak.html Exploit,Technical Description,Third Party Advisory
https://twitter.com/Kevin2600/status/1351189347501023238 Third Party Advisory
https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-15-224-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3252, you might also want to check these: