TM2 Monitoring v3.04 contains an authentication bypass and plaintext credential disclosure.
The vulnerability combines two issues: a flaw in the authentication mechanism (CWE-287) that allows an attacker to gain system access without providing correct login credentials, and the transmission of authentication data in unencrypted form (CWE-319). An attacker can intercept or bypass the identity verification process and then — due to the lack of encryption — gain access to login data of other users being transmitted over the network. The entire attack is possible remotely, without victim interaction and without requiring any permissions in the system.
An attacker can gain full, unauthorized access to the TM2 monitoring system, take control of its data and configuration, and obtain user authentication credentials (confidentiality, integrity, and availability of the system are fully compromised).
Apply patches available from the vendor according to the references. It is temporarily recommended to restrict network access to the TM2 Monitoring system using a firewall or VPN and to monitor network traffic for unauthorized access attempts. Avoid transmitting authentication credentials over untrusted networks until the patch is applied.
TM2 Monitoring version 3.04
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H