TWCERT/CC Taiwan Computer Emergency Response Team/Coordination Center-ECOA BAS controller

ECOA BAS controller - Weak Password Requirements

TVN ID	TVN-202109012
CVE ID	CVE-2021-41296
CVSS	9.8 (Critical) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products	ECOA ECS Router Controller - ECS (FLASH) ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECOA Graphic Control Software ECOA SmartHome II - E9246 ECOA RiskTerminator
Description	ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.
Solution	Contact tech support from ECOA.
Credit	Gjoko Krstic(Zero Science Lab)
Public Date	2021-09-30

ECOA BAS controller - Weak Password Requirements