Sign-up

ID

VAR-201509-0440


CVE

CVE-2015-3974


TITLE

Used in products from multiple vendors EasyIO EasyIO-30P-SF Vulnerabilities that can gain access rights in controller firmware

Trust: 0.8

sources: JVNDB: JVNDB-2015-004971

DESCRIPTION

EasyIO EasyIO-30P-SF controllers with firmware before 0.5.21 and 2.x before 2.0.5.21, as used in Accutrol, Bar-Tech Automation, Infocon/EasyIO, Honeywell Automation India, Johnson Controls, SyxthSENSE, Transformative Wave Technologies, Tridium Asia Pacific, and Tridium Europe products, have a hardcoded password, which makes it easier for remote attackers to obtain access via unspecified vectors. EasyIO EasyIO-30P-SF is prone to a security-bypass vulnerability. A remote attacker may leverage this issue to gain access to the vulnerable device. EasyIO EasyIO-30P-SF is a 32-bit controller product developed by Malaysia EasyIO company and applied in DDC (direct digital control) system. A security vulnerability exists in EasyIO EasyIO-30P-SF controllers using firmware versions prior to 0.5.21 and 2.x versions prior to 2.0.5.21 due to the program's use of hard-coded passwords

Trust: 1.98

sources: NVD: CVE-2015-3974 // JVNDB: JVNDB-2015-004971 // BID: 76845 // VULHUB: VHN-81935

AFFECTED PRODUCTS

vendor:easyiomodel:easyio-30p-sfscope:eqversion:*

Trust: 1.0

vendor:easyiomodel:easyio-30p-sfscope:lteversion:2.0.5.20

Trust: 1.0

vendor:easyiomodel:easyio-30p-sfscope:lteversion:0.5.20

Trust: 1.0

vendor:easyiomodel:easyio-30p-sfscope:eqversion:2.0.5.21

Trust: 0.8

vendor:easyiomodel:easyio-30p-sfscope:ltversion:2.x

Trust: 0.8

vendor:easyiomodel:easyio-30p-sfscope: - version: -

Trust: 0.8

vendor:easyiomodel:easyio-30p-sfscope:eqversion:0.5.20

Trust: 0.6

vendor:easyiomodel:easyio-30p-sfscope:eqversion:2.0.5.20

Trust: 0.6

vendor:tridiummodel:vykon ios30pscope:eqversion:0

Trust: 0.3

vendor:tridiummodel:sedona controller point ios30pscope:eqversion:30??0

Trust: 0.3

vendor:tridiummodel:ios30p sedonascope:eqversion:0

Trust: 0.3

vendor:transformative wavemodel:catalyst cat-371scope:eqversion:0

Trust: 0.3

vendor:syxthsensemodel:easyio 30pscope:eqversion:0

Trust: 0.3

vendor:johnsonmodel:controls field controller bacnet fc-30bscope:eqversion:0

Trust: 0.3

vendor:infoconmodel:easyio-30p-sf45scope:eqversion:0

Trust: 0.3

vendor:honeywellmodel:easyio 30pscope:eqversion:0

Trust: 0.3

vendor:easyiomodel:easyio-30p-sfscope:eqversion:0

Trust: 0.3

vendor:bar techmodel:automation bta sedona controllerscope:eqversion:0

Trust: 0.3

vendor:bar techmodel:automation btascope:eqversion:10-300

Trust: 0.3

vendor:accutrolmodel:llc easy io-30p-sf45 ac7100scope:eqversion:??0

Trust: 0.3

vendor:easyiomodel:easyio-30p-sfscope:neversion:0.5.21

Trust: 0.3

vendor:easyiomodel:easyio-30p-sfscope:neversion:2.0.5.21

Trust: 0.3

vendor:bar techmodel:automation bta sedona controllerscope:neversion:0.5.22

Trust: 0.3

vendor:bar techmodel:automation bta sedona controllerscope:neversion:2.0.5.22

Trust: 0.3

vendor:bar techmodel:automation btascope:neversion:10-300.5.22

Trust: 0.3

vendor:bar techmodel:automation btascope:neversion:10-302.0.5.22

Trust: 0.3

sources: BID: 76845 // JVNDB: JVNDB-2015-004971 // CNNVD: CNNVD-201509-565 // NVD: CVE-2015-3974

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-3974
value: HIGH

Trust: 1.0

NVD: CVE-2015-3974
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201509-565
value: CRITICAL

Trust: 0.6

VULHUB: VHN-81935
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2015-3974
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-81935
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-81935 // JVNDB: JVNDB-2015-004971 // CNNVD: CNNVD-201509-565 // NVD: CVE-2015-3974

PROBLEMTYPE DATA

problemtype:CWE-255

Trust: 1.9

sources: VULHUB: VHN-81935 // JVNDB: JVNDB-2015-004971 // NVD: CVE-2015-3974

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201509-565

TYPE

trust management

Trust: 0.6

sources: CNNVD: CNNVD-201509-565

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-004971

PATCH
title:EasyIO-30P-SFurl:http://www.easyio.com/easyio-30p-sf
Trust: 0.8
title:EasyIO EasyIO-30P-SF Fixes for controller trust management vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=57821
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2015-004971 // 
            
            
            
            CNNVD: CNNVD-201509-565

EXTERNAL IDS
db:NVDid:CVE-2015-3974
Trust: 2.8
db:ICS CERTid:ICSA-15-237-02
Trust: 2.8
db:JVNDBid:JVNDB-2015-004971
Trust: 0.8
db:CNNVDid:CNNVD-201509-565
Trust: 0.7
db:BIDid:76845
Trust: 0.4
db:VULHUBid:VHN-81935
Trust: 0.1
sources:
            
            
            VULHUB: VHN-81935 // 
            
            
            
            BID: 76845 // 
            
            
            
            JVNDB: JVNDB-2015-004971 // 
            
            
            
            CNNVD: CNNVD-201509-565 // 
            
            
            
            NVD: CVE-2015-3974

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-15-237-02
Trust: 2.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-3974
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-3974
Trust: 0.8
url:http://www.easyio.com/easyio-30p-sf
Trust: 0.3
url:https://ics-cert.us-cert.gov/advisories/icsa-15-237-02-supplement
Trust: 0.3
sources:
            
            
            VULHUB: VHN-81935 // 
            
            
            
            BID: 76845 // 
            
            
            
            JVNDB: JVNDB-2015-004971 // 
            
            
            
            CNNVD: CNNVD-201509-565 // 
            
            
            
            NVD: CVE-2015-3974

CREDITS
Maxim Rupp
Trust: 0.3
sources:
            
            
            BID: 76845

SOURCES
db:VULHUBid:VHN-81935
db:BIDid:76845
db:JVNDBid:JVNDB-2015-004971
db:CNNVDid:CNNVD-201509-565
db:NVDid:CVE-2015-3974

LAST UPDATE DATE
2025-04-13T23:22:23.927000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-81935date:2015-09-29T00:00:00
db:BIDid:76845date:2015-09-24T00:00:00
db:JVNDBid:JVNDB-2015-004971date:2015-09-30T00:00:00
db:CNNVDid:CNNVD-201509-565date:2015-10-09T00:00:00
db:NVDid:CVE-2015-3974date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-81935date:2015-09-28T00:00:00
db:BIDid:76845date:2015-09-24T00:00:00
db:JVNDBid:JVNDB-2015-004971date:2015-09-30T00:00:00
db:CNNVDid:CNNVD-201509-565date:2015-09-30T00:00:00
db:NVDid:CVE-2015-3974date:2015-09-28T02:59:01.653