Nicolas Cano

**Name of the Vulnerable Software and Affected Versions** SNAP PAC S1 Firmware version R10.3b **Description** The issue is related to the lack of a limit on the number of login attempts in the web server. This could allow for a brute-force attack on the built-in web server login. **Recommendations** For SNAP PAC S1 Firmware version R10.3b, consider implementing a limit on the number of login attempts or temporarily restricting access to the built-in web server login to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SNAP PAC S1 Firmware version R10.3b **Description** The built-in web server of the SNAP PAC S1 Firmware does not require complex passwords, which could allow for a successful brute force attack if users do not set up complex credentials. **Recommendations** For SNAP PAC S1 Firmware version R10.3b, consider setting up complex credentials to prevent brute force attacks. As a temporary workaround, restrict access to the built-in web server until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SNAP PAC S1 Firmware version R10.3b **Description** The File Transfer Protocol (FTP) port is open by default, which could allow an adversary to access some device files. **Recommendations** For SNAP PAC S1 Firmware version R10.3b, consider disabling the FTP port as a temporary workaround until a patch is available. Restrict access to the device files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SNAP PAC S1 Firmware version R10.3b **Description** An adversary could crash the entire device by sending a large quantity of ICMP requests if the controller has the built-in web server enabled but does not have the built-in web server completely set up and configured. **Recommendations** For SNAP PAC S1 Firmware version R10.3b, ensure the built-in web server is completely set up and configured to prevent potential crashes from large quantities of ICMP requests. As a temporary workaround, consider disabling the built-in web server until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** SNAP PAC S1 Firmware version R10.3b **Description** An adversary could cause a continuous restart loop to the entire device by sending a large quantity of HTTP GET requests if the controller has the built-in web server enabled but does not have the built-in web server completely set up and configured. **Recommendations** For SNAP PAC S1 Firmware version R10.3b, ensure the built-in web server is completely set up and configured to prevent exploitation. As a temporary workaround, consider disabling the built-in web server until a proper configuration is in place.