CVE-2012-5864

These Sinapsi devices do not check if users that visit pages within the device have properly authenticated. By directly visiting the pages within the device, attackers can gain unauthorized access with administrative privileges.

CVSS v2.0 9.4 HIGH

9.4^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:N

Exploitability : 10.0 / Impact : 9.2

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact NONE

References

Link	Resource
http://archives.neohapsis.com/archives/bugtraq/2012-09/0045.html	Exploit
http://www.exploit-db.com/exploits/21273/	Exploit
http://www.sinapsitech.it/default.asp?active_page_id=78&news_id=88
https://exchange.xforce.ibmcloud.com/vulnerabilities/80200
https://www.cisa.gov/news-events/ics-advisories/icsa-12-325-01
http://archives.neohapsis.com/archives/bugtraq/2012-09/0045.html	Exploit
http://www.exploit-db.com/exploits/21273/	Exploit
http://www.sinapsitech.it/default.asp?active_page_id=78&news_id=88
http://www.us-cert.gov/control_systems/pdf/ICSA-12-325-01.pdf	US Government Resource
https://exchange.xforce.ibmcloud.com/vulnerabilities/80203

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:sinapsitech:sinapsi_firmware:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:sinapsitech:esolar_duo_photovoltaic_system_monitor:-:::::::*
	cpe:2.3:h:sinapsitech:esolar_light_photovoltaic_system_monitor:-:::::::*
	cpe:2.3:h:sinapsitech:esolar_photovoltaic_system_monitor:-:::::::*

History

08 Jul 2025, 16:15

Type	Values Removed	Values Added
References		() https://exchange.xforce.ibmcloud.com/vulnerabilities/80200 - () https://www.cisa.gov/news-events/ics-advisories/icsa-12-325-01 -
CWE		CWE-287
CVSS	v2 : ~~10.0~~ v3 : ~~unknown~~	v2 : 9.4 v3 : unknown
Summary	(en) The management web pages on the Sinapsi eSolar Light Photovoltaic System Monitor (aka Schneider Electric Ezylog photovoltaic SCADA management server), Sinapsi eSolar, and Sinapsi eSolar DUO with firmware before 2.0.2870_2.2.12 do not require authentication, which allows remote attackers to obtain administrative access via a direct request, as demonstrated by a request to ping.php.	(en) These Sinapsi devices do not check if users that visit pages within the device have properly authenticated. By directly visiting the pages within the device, attackers can gain unauthorized access with administrative privileges.

21 Nov 2024, 01:45

Type	Values Removed	Values Added
References	~~() http://archives.neohapsis.com/archives/bugtraq/2012-09/0045.html - Exploit~~	() http://archives.neohapsis.com/archives/bugtraq/2012-09/0045.html - Exploit
References	~~() http://www.exploit-db.com/exploits/21273/ - Exploit~~	() http://www.exploit-db.com/exploits/21273/ - Exploit
References	~~() http://www.sinapsitech.it/default.asp?active_page_id=78&news_id=88 -~~	() http://www.sinapsitech.it/default.asp?active_page_id=78&news_id=88 -
References	~~() http://www.us-cert.gov/control_systems/pdf/ICSA-12-325-01.pdf - US Government Resource~~	() http://www.us-cert.gov/control_systems/pdf/ICSA-12-325-01.pdf - US Government Resource
References	~~() https://exchange.xforce.ibmcloud.com/vulnerabilities/80203 -~~	() https://exchange.xforce.ibmcloud.com/vulnerabilities/80203 -

Information

Published : 2012-11-23 12:09

Updated : 2025-07-08 16:15

NVD link : CVE-2012-5864

Mitre link : CVE-2012-5864

CVE.ORG link : CVE-2012-5864

JSON object : View

Products Affected

sinapsitech

sinapsi_firmware
esolar_light_photovoltaic_system_monitor
esolar_duo_photovoltaic_system_monitor
esolar_photovoltaic_system_monitor

CWE

CWE-287

Improper Authentication

CWE-264

Permissions, Privileges, and Access Controls

9.4 /10