go to Content

TWCERT/CC Taiwan Computer Emergency Response Team/Coordination Center


ECOA BAS controller - Path Traversal-1

TVN ID TVN-202109006
CVE ID CVE-2021-41290
CVSS 9.8 (Critical)
Affected Products ECOA ECS Router Controller - ECS (FLASH)
ECOA RiskBuster Terminator - E6L45
ECOA RiskBuster System - RB 3.0.0
ECOA RiskBuster System - TRANE 1.0
ECOA Graphic Control Software
ECOA SmartHome II - E9246
ECOA RiskTerminator
Description ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Using the POST parameters, unauthenticated attackers can remotely set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected device.
Solution Contact tech support from ECOA.
Credit Gjoko Krstic (Zero Science Lab)
Public Date 2021-09-30