go to Content

TWCERT/CC Taiwan Computer Emergency Response Team/Coordination Center


ECOA BAS controller - Use of Hard-coded Credentials

TVN ID TVN-202109015
CVE ID CVE-2021-41299
CVSS 9.8 (Critical)
Affected Products ECOA ECS Router Controller - ECS (FLASH)
ECOA RiskBuster Terminator - E6L45
ECOA RiskBuster System - RB 3.0.0
ECOA RiskBuster System - TRANE 1.0
ECOA Graphic Control Software
ECOA SmartHome II - E9246
ECOA RiskTerminator
Description ECOA BAS controller is vulnerable to hard-coded credentials within its Linux distribution image, thus remote attackers can obtain administrator’s privilege without logging in.
Solution Contact tech support from ECOA.
Credit Gjoko Krstic(Zero Science Lab)
Public Date 2021-09-30