CVE-2020-25180

Name of the Vulnerable Software and Affected Versions Rockwell Automation ISaGRAF Runtime versions 4.x through 5.x

Description The issue concerns the encryption of passwords used to execute privileged commands in the ISaGRAF Runtime. Specifically, a fixed key value is used with the tiny encryption algorithm (TEA) to encrypt entered or saved passwords. A remote, unauthenticated attacker could potentially pass their own encrypted password to the ISaGRAF 5 Runtime, leading to information disclosure on the device.

Recommendations For versions 4.x through 5.x, consider disabling the password functionality until a secure method of encryption is implemented. As a temporary workaround, restrict access to the ISaGRAF Runtime to minimize the risk of exploitation.