Gessler GmbH’s WEB-MASTER, a crucial emergency lighting management system, faces severe vulnerabilities in its infrastructure. Two critical vulnerabilities have been identified: the use of weak credentials and weak hashing algorithms. Exploitation of these vulnerabilities could grant attackers control over the web management of the device and enable them to extract and decipher password hashes for all users stored on the system.
The affected product is WEB-MASTER version 7.9, and these vulnerabilities pose a significant risk, with a CVSS v3 score of 9.8 for the weak credentials vulnerability and 4.4 for the weak hashing vulnerability. These vulnerabilities were responsibly disclosed to CISA by researchers Felix Eberstaller and Nino Fürthauer of Limes Security.
To mitigate these vulnerabilities, Gessler GmbH recommends updating WEB-MASTER to version 4.4 or greater. However, it’s essential for these updates to be applied by Gessler GmbH technicians. Organizations are advised to perform impact analysis and risk assessment before implementing defensive measures. Additionally, CISA offers resources and best practices for industrial control system cybersecurity.
While there have been no reported cases of public exploitation targeting these vulnerabilities, organizations are urged to remain vigilant and report any suspicious activities to CISA for further investigation.
