Ewon Security Vulnerability
Ewon reference: System - Ewon configuration parameters encryption mechanism improvement
Affected devices: All
Affected firmware versions: All
- Fixed on Flexy and Cosy 131 device families
- Fix under development for the CD and Cosy 141 device families
Severity: Medium (CVSS 3 score of 6.8)
Encryption of device configuration parameters is weak due to an implementation issue in the encryption mechanism function
Successful exploitation of this vulnerability may allow a remote attacker to get access to the local system and perform potential harmful actions on the device itself, but also on devices connected to the Ewon device.
As a rule, we recommend:
- to avoid making Ewons devices being directly reachable from non-trusted user by using a firewall and an access control policy.
- use a secure remote access solution like Talk2M (https://www.ewon.biz/cloud-services/talk2m).
- to change the adm password at first login and use a strong one
Install the last firmware version. This has been fixed as from firmware version 13.3s0 for Flexy and Cosy 131 families.
Check the firmware section to learn how to update your Ewons.
Discovered by: Tijl Deneut - Howest (UGent) & Stu Kennedy - PentestPartners