CRITICAL🇵🇱 Wersja polska

CVE-2024-47945

CVSS 9.8v3.1pub. 2024-10-15upd. 2025-11-03

The devices are vulnerable to session hijacking due to insufficient entropy in its session ID generation algorithm. The session IDs are predictable, with only 32,768 possible values per user, which allows attackers to pre-generate valid session IDs, leading to unauthorized access to user sessions. This is not only due to the use of an (insecure) rand() function call but also because of missing initialization via srand(). As a result only the PIDs are effectively used as seed.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Rittal Cmc Iii Processing Units

    HW
    Rittal
    wszystkie wersje
  • Rittal Cmc Iii Processing Units Firmware

    OS
    Rittal
    < 6.21.00.2
  • Rittal Iot Interface

    HW
    Rittal
    wszystkie wersje
  • Rittal Iot Interface Firmware

    OS
    Rittal
    < 6.21.00.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2020-11951CRITICAL9.8ten sam vendor

An issue was discovered on Rittal PDU-3C002DEC through 5.17.10 and CMCIII-PU-9333E0FB through 3.17.10 devices....

CVE-2020-11956CRITICAL9.8ten sam vendor

An issue was discovered on Rittal PDU-3C002DEC through 5.17.10 and CMCIII-PU-9333E0FB through 3.17.10 devices....

CVE-2019-13553CRITICAL9.8ten sam vendor

Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 – B1.2.4. The authentic...

CVE-2021-40222HIGH7.2ten sam vendor

Rittal CMC PU III Web management Version affected: V3.11.00_2. Version fixed: V3.17.10 is affected by a remote...

CVE-2020-11955HIGH8.8ten sam vendor

An issue was discovered on Rittal PDU-3C002DEC through 5.15.70 and CMCIII-PU-9333E0FB through 3.15.70 devices....