Rubén Santamarta

**Nome do Software Vulnerável e Versões Afetadas** Ingecon Sun EMS Board versões AAX1055CT e anteriores Ingecon Sun EMS Board versões ABU1001 P e anteriores Ingecon Sun EMS Board versões ACL1201 B e anteriores Ingecon Sun EMS Board versões ACL1200AL e anteriores Ingecon Sun EMS Board versões ABH1027 K e anteriores Ingecon Sun EMS Board versões ABH1007 Z e anteriores Ingecon Sun EMS Board versões ABS1009 L e anteriores Ingecon Sun EMS Board versões ABS1005 T e anteriores Ingecon Sun EMS Board versões ACB1005 A e anteriores Ingecon Sun EMS Board versões AAX1031CN e anteriores **Descrição** A geração insegura de credenciais na funcionalidade de acesso local SAT (Suporte Técnico) ocorre porque as credenciais de acesso secretas são baseadas em um algoritmo de hashing fraco, em vez de um esquema criptográfico seguro. Isso permite que um invasor preveja ou realize ataques de força bruta nas credenciais, levando à escalada de privilégios e ao acesso não autorizado de alto privilégio no dispositivo. **Recomendações** Atualize para as versões lançadas em 28 de abril de 2026.

**Name of the Vulnerable Software and Affected Versions** TURCK BL20 Programmable Gateway (affected versions not specified) TURCK BL67 Programmable Gateway (affected versions not specified) **Description** The issue allows remote attackers to obtain administrative access via an FTP session due to hardcoded accounts. **Recommendations** For TURCK BL20 Programmable Gateway, change the hardcoded account credentials to unique and secure values. For TURCK BL67 Programmable Gateway, change the hardcoded account credentials to unique and secure values.

**Name of the Vulnerable Software and Affected Versions** Consona Dynamic Agent, Repair Manager, Subscriber Activation, and Subscriber Agent (affected versions not specified) **Description** The issue concerns the tgsrv.exe in the Repair Service, which relies on a predictable timestamp field to validate input to the named pipe. This allows remote authenticated users to execute arbitrary code by obtaining the current time from either tcpip.sys or an SMB2 service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Consona Live Assistance, Dynamic Agent, and Subscriber Assistance (affected versions not specified) **Description** The issue is related to a buffer overflow in the RunCmd method in the SdcUser.TgConCtl ActiveX control in tgctlcm.dll. This allows remote attackers to execute arbitrary code via vectors involving "CreateProcess params." **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Consona Live Assistance, Dynamic Agent, and Subscriber Assistance (affected versions not specified) **Description** The issue concerns the Forgot Password implementation, which allows remote attackers to reset passwords of certain accounts. This can be achieved by sending empty values for the `Hint questions` and `Hint answers` fields, specifically targeting accounts with blank values for these fields. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Consona Live Assistance, Dynamic Agent, and Subscriber Assistance (affected versions not specified) **Description** The issue allows remote attackers to inject arbitrary web script or HTML via crafted input to ASP pages. This can be demonstrated using the `backurl` parameter to "sdccommon/verify/asp/n6plugindestructor.asp" API endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Consona Live Assistance, Dynamic Agent, and Subscriber Assistance (affected versions not specified) **Description** The issue relates to the site-locking implementation in the SdcWebSecureBase interface, which relies on a list of server domain names to restrict the execution of ActiveX controls. This makes it easier for man-in-the-middle attackers to execute arbitrary code via a DNS hijacking attack. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Consona Live Assistance, Dynamic Agent, and Subscriber Assistance (affected versions not specified) **Description** The issue allows remote attackers to bypass intended restrictions on ActiveX execution via instantiation/free attacks, potentially affecting the security of the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Consona Live Assistance, Dynamic Agent, and Subscriber Assistance (affected versions not specified) **Description** The issue concerns the default configuration of pluginlicense.ini for the SdcWebSecureBase interface in tgctlcm.dll. This configuration contains an incorrect DNS whitelist that includes the DNS hostnames of home computers of many persons. As a result, remote attackers can bypass intended restrictions on ActiveX execution by hosting an ActiveX control on an applicable home web server. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NetBiterConfig version 1.3.0 **Description** The issue is a stack-based buffer overflow in the NetBiterConfig utility, allowing remote attackers to execute arbitrary code. This is achieved by sending a crafted HICP-protocol UDP packet with a long `hn` (hostname) parameter. **Recommendations** For version 1.3.0, consider restricting access to the NetBiterConfig utility until a patch is available. As a temporary workaround, avoid using long `hn` (hostname) parameters in HICP-protocol UDP packets to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Intellicom NetBiter WebSCADA devices (affected versions not specified) **Description** The issue concerns the use of default passwords for the HICP network configuration service in Intellicom NetBiter WebSCADA devices. This makes it easier for remote attackers to modify network settings and cause a denial of service. It is noted that this is only considered a vulnerability when the administrator does not follow the recommendations provided in the product's installation documentation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Word versions in Office 2000 SP3, XP SP3, Office 2003 SP2, and Office Word Viewer 2003 **Description** A remote code execution issue exists in the way that Word handles specially crafted Word files. This could allow remote code execution if a user opens a specially crafted Word file that includes a malformed value. An attacker who successfully exploits this issue could take complete control of an affected system, then install programs, view, change, or delete data, or create new accounts with full user rights. The issue is triggered by crafted fields within the File Information Block (FIB) of a Word file, which causes length calculation errors and memory corruption. **Recommendations** For Microsoft Word in Office 2000 SP3, XP SP3, Office 2003 SP2, and Office Word Viewer 2003, at the moment, there is no information about a newer version that contains a fix for this issue.