go to Content

TWCERT/CC Taiwan Computer Emergency Response Team/Coordination Center


ECOA BAS controller - Missing Encryption of Sensitive Data

TVN ID TVN-202109018
CVE ID CVE-2021-41302
CVSS 7.3 (High)
Affected Products ECOA ECS Router Controller - ECS (FLASH)
ECOA RiskBuster Terminator - E6L45
ECOA RiskBuster System - RB 3.0.0
ECOA RiskBuster System - TRANE 1.0
ECOA Graphic Control Software
ECOA SmartHome II - E9246
ECOA RiskTerminator
Description ECOA BAS controller stores sensitive data (backup exports) in clear-text, thus the unauthenticated attacker can remotely query user password and obtain user’s privilege.
Solution Contact tech support from ECOA.
Credit Gjoko Krstic(Zero Science Lab)
Public Date 2021-09-30