1. EXECUTIVE SUMMARY

• Vendor: Weintek
• Equipment: cMT3072XH2, easyweb, command_wb.cgi, network_config.cgi, upload_wb.cgi, download_wb.cgi, reset_pj.cgi, webview.cgi
• Web Version: V2.1.53
• OS version: 20231011
• Vulnerabilities:
  • Default HMI Account Credentials(developer, weintekOS)
  • Persistent Command Injection Through HMI Name Field: Command injection
  • Real-time Command Injection Through DHCP Service: Command injection
  • Unauthorized VNC Access Using Service Accounts
  • Unauthorized HMI Control via reset_pj.cgi
  • Unauthenticated File Download
  • Hardcoded Encryption Keys in JSON Communication
  • Plaintext Storage of User Credentials
  • Static Default FTP Account Credentials

2. RISK EVALUATION

The discovered vulnerabilities present critical security risks through multiple interconnected attack paths:

1. Authentication Bypass & Access Control Risks:

• Default HMI accounts and VNC vulnerabilities allow unauthorized HMI access
• Attackers on the same network can control industrial processes without authentication
• System control functions accessible through reset_pj.cgi ⇒ Enables complete operational control of industrial processes without admin credentials

1. System Integrity & Root Access Risks:

• Command injection vulnerabilities provide root shell access
• Arbitrary file upload can be exploited for malicious code execution
• Unrestricted file download exposes sensitive system files

1. Credential & Encryption Security Risks:

• Storage of user credentials in plaintext allows attackers to easily access all user passwords regardless of complexity