Multiple vulnerabilities in Arteche's saTECH BCU

Posted date 27/03/2025

Identificador

INCIBE-2025-0160

Importance

4 - High

Affected Resources

saTECH BCU, 2.1.3 version.

Description

INCIBE has coordinated the publication of 8 vulnerabilities: one of high severity, 5 of medium severity and two of low severity, affecting saTECH BCU, a control and automation equipment specialised in data acquisition and position control in electrical substations, which have been discovered by Aarón Flecha Menéndez and Gabriel Vía Echezarreta.

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:

CVE-2025-2858: CVSS v4.0: 8.5 | CVSS AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:L | CWE-269
CVE-2025-2859: CVSS v4.0: 6.9 | CVSS AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-287
CVE-2025-2860: CVSS v4.0: 6.9 | CVSS AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-200
CVE-2025-2861: CVSS v4.0: 6.9 | CVSS AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-319
CVE-2025-2862: CVSS v4.0: 6.9 | CVSS AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-261
CVE-2025-2863: CVSS v4.0: 5.7 | CVSS AV:L/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N | CWE-352
CVE-2025-2864: CVSS v4.0: 2.0 | CVSS AV:A/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
CVE-2025-2865: CVSS v4.0: 2.4 | CVSS AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L | CWE-942

Solution

The vulnerabilities have been fixed by Arteche in firmware version 2.2.1.

Detail

CVE-2025-2858: privilege escalation vulnerability in the saTECH BCU firmware version 2.1.3. An attacker with access to the CLI of the device could make use of the nice command to bypass all restrictions and elevate privileges as a superuser.
CVE-2025-2859: an attacker with network access, could capture traffic and obtain user cookies, allowing the attacker to steal the active user session and make changes to the device via web, depending on the privileges obtained by the user.
CVE-2025-2860: saTECH BCU in its firmware version 2.1.3, allows an authenticated attacker to access information about the credentials that users have within the web (.xml file). In order to exploit this vulnerability, the attacker must know the path, regardless of the user's privileges on the website.
CVE-2025-2861: saTECH BCU in its firmware version 2.1.3 uses the HTTP protocol. The use of the HTTP protocol for web browsing has the problem that information is exchanged in unencrypted text. Since sensitive data such as credentials are exchanged, an attacker could obtain them and log in legitimately.
CVE-2025-2862: saTECH BCU, in its firmware version 2.1.3, performs weak password encryption. This allows an attacker with access to the device's system or website to obtain the credentials, as the storage methods used are not strong enough in terms of encryption.
CVE-2025-2863: cross-site request forgery (CSRF) vulnerability in the web application of saTECH BCU firmware version 2.1.3, which could allow an unauthenticated local attacker to exploit active administrator sessions and perform malicious actions. The malicious actions that can be executed by the attacker depend on the logged-in user, and may include rebooting the device or modifying roles and permissions.
CVE-2025-2864: saTECH BCU in its firmware version 2.1.3 allows an attacker to inject malicious code into the legitimate website owning the affected device, once the cookie is set. This attack only impacts the victim's browser (reflected XSS).
CVE-2025-2865: saTECH BCU, in its firmware version 2.1.3, could allow XSS attacks and other malicious resources to be stored on the web server. An attacker with some knowledge of the web application could send a malicious request to the victim users. Through this request, the victims would interpret the code (resources) stored on another malicious website owned by the attacker.

References list

Information about saTECH BCU

Etiquetas