Eaton created a software update to address an improper access control vulnerability in its xComfort Ethernet Communication Interface, according to a report with ICS-CERT.
The xComfort ECI Versions 1.07 and prior building automation system suffers from the issue.
Successful exploitation of this remotely exploitable vulnerability, discovered by Maxim Rupp, may allow a remote attacker to access backup files and system logs without authenticating.
With the improper access control vulnerability, by accessing a specific uniform resource locator (URL) on the webserver, a malicious user may be able to access files without authenticating.
CVE-2017-9368 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
The product sees use in the commercial facilities sector, said officials at Dublin, Ireland-based Eaton. The product sees action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could exploit the vulnerability.
Eaton recommended affected users upgrade to the latest version of the software which is downloadable from the Software Downloads tab under the Documentation tab.