Osprey Pump Controller Firmware
CVE-2023-28398
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Osprey Pump Controller version 1.01 could allow an unauthenticated user to create an account and bypass authentication, thereby gaining unauthorized access to the system. A threat actor could exploit this vulnerability to create a user account without providing valid credentials. A threat actor who successfully exploits this vulnerability could gain access to the pump controller and cause disruption in operation, modify data, or shut down the controller.
AnalysisAI
Osprey Pump Controller version 1.01 could allow an unauthenticated user to create an account and bypass authentication, thereby gaining unauthorized access to the system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Improper Authentication (CWE-287), which allows attackers to bypass authentication mechanisms to gain unauthorized access. Osprey Pump Controller version 1.01 could allow an unauthenticated user to create an account and bypass authentication, thereby gaining unauthorized access to the system. A threat actor could exploit this vulnerability to create a user account without providing valid credentials. A threat actor who successfully exploits this vulnerability could gain access to the pump controller and cause disruption in operation, modify data, or shut down the controller. Affected products include: Propumpservice Osprey Pump Controller Firmware. Version information: version 1.01.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement multi-factor authentication, enforce strong password policies, use proven authentication frameworks.
Osprey Pump Controller version 1.01 contains an unauthenticated command injection vulnerability that could allow system
Osprey Pump Controller version 1.01 has a hidden administrative account that has the hardcoded password that allows full
Osprey Pump Controller version 1.01 is vulnerable to an unauthenticated OS command injection vulnerability. Rated critic
Osprey Pump Controller version 1.01 is vulnerable an unauthenticated OS command injection vulnerability. Rated critical
Osprey Pump Controller version 1.01 allows users to perform certain actions via HTTP requests without performing any che
Osprey Pump Controller version 1.01 is vulnerable to an unauthenticated file disclosure. Rated high severity (CVSS 7.5),
Osprey Pump Controller version 1.01 is vulnerable to a weak session token generation algorithm that can be predicted and
Osprey Pump Controller version 1.01 inputs passed to a GET parameter are not properly sanitized before being returned to
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today