EchelonCVEs & Vulnerabilities

5 CVEs affecting Echelon products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

i.lon 100 4i.lon 100 firmware 4smartserver 1 4smartserver 1 firmware 4smartserver 2 4smartserver 2 firmware 4i.lon 600 3i.lon 600 firmware 3
CVE-2022-3089CRITICAL

Echelon SmartServer 2.2 with i.LON Vision 2.2 stores cleartext credentials in a file, which could allow an attacker to obtain cleartext usernames and passwords of the SmartServer. If the attacker obtains the file, then the credentials could be used to control the web user interface and file transfer protocol (FTP) server.

13 Feb 2023
9.8
CVSS
CVE-2018-8859CRITICAL

Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. An attacker can bypass the required authentication specified in the security configuration file by including extra characters in the directory name when specifying the directory to be accessed. This vulnerability does not affect the i.LON 600 product.

24 Jul 2018
9.8
CVSS
CVE-2018-8855CRITICAL

Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP.

24 Jul 2018
9.8
CVSS
CVE-2018-8851CRITICAL

Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices store passwords in plaintext, which may allow an attacker with access to the configuration file to log into the SmartServer web user interface.

24 Jul 2018
9.8
CVSS
CVE-2018-10627CRITICAL

Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. An attacker can use the SOAP API to retrieve and change sensitive configuration items such as the usernames and passwords for the Web and FTP servers. This vulnerability does not affect the i.LON 600 product.

24 Jul 2018
9.8
CVSS
← PrevPage 1 / 1Next →