Risk Summary
Successful exploitation of these vulnerabilities could allow an attacker to utilize the JSON web token (JWT) to reset account passwords, use expired credentials, perform brute force attacks on credentials, or cause a denial-of-service condition.
Remediations
- Weintek has updated their account API to v0.13.8, which has fixed the issue. This fix does not require any action for users.
- Additional mitigations are recommended to help reduce risk:
- Log in on trusted computers if possible. Log out after usage on un-trusted ones.
- On the HMIs, if the online services are not used, set to offline mode for EasyAccess 2.0 or Dashboard services using system reserved addresses.
- Regularly change passwords to reduce risks.
- Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible- only applicable devices and/or systems have access to the internet.
Affected Vendors
Weintek
Affected Products (1)
Weintek
·
Account API
<=0.13.6
Affected Sectors
Critical Manufacturing
Get alerted to advisories like this
OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.
Start free trial Learn more