CVE-2021-41292

Summary

ECOA BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can remotely bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC.

Affected Software

VendorProductVersion RangeStatus
ECOAECS Router Controller ECS (FLASH)next of 0 < unspecifiedunknown
ECOARiskBuster Terminator E6L45next of 0 < unspecifiedunknown
ECOARiskBuster System RB 3.0.0next of 0 < unspecifiedunknown
ECOARiskBuster System TRANE 1.0next of 0 < unspecifiedunknown
ECOAGraphic Control Softwarenext of 0 < unspecifiedunknown
ECOASmartHome II E9246next of 0 < unspecifiedunknown
ECOARiskTerminatornext of 0 < unspecifiedunknown

Weaknesses

  • CWE-288: CWE-288 Authentication Bypass Using an Alternate Path or Channel

ADP Enrichment

CVE Program Container

Additional References

References