Multiple critical security vulnerabilities were identified in Weintek HMI products. These vulnerabilities allow attackers on the same network to gain unauthorized access, execute arbitrary commands with elevated privileges, bypass authentication mechanisms, and fully compromise both the HMI system and the industrial processes it controls.
The vulnerabilities include hardcoded credentials, command injection flaws, unauthorized access to system control functions, insecure credential storage, and cryptographic weaknesses. Several of these issues cannot be mitigated by end users because the affected service accounts and credentials are built into the system and cannot be disabled or modified.
- Vendor: Weintek
- Affected Product: cMT-3072XH2
- Operating System Version: 20231011
- Web Interface Version: easyweb V2.1.53
The vulnerabilities affect multiple CGI endpoints and system services, including but not limited to: easyweb, command_wb.cgi, network_config.cgi, upload_wb.cgi, download_wb.cgi, reset_pj.cgi, and webview.cgi.
The product contains built-in service accounts (including developer and weintekOS) that are enabled by default. These accounts cannot be disabled or modified by administrators. Unauthorized users who obtain these credentials can gain full administrative access to the HMI system.
Improper input validation in the HMI name configuration allows attackers to inject system commands. The injected commands are executed with elevated privileges after a system reboot, enabling arbitrary command execution.
A command injection vulnerability exists in the DHCP configuration functionality. User-controlled input is passed directly to system commands without sanitization, allowing arbitrary command execution without requiring a system reboot.
The VNC functionality fails to properly enforce authorization checks. Built-in service accounts can access HMI VNC features beyond their intended permissions, allowing unauthorized HMI control and interaction.
The reset_pj.cgi endpoint allows users to trigger sensitive system control functions through parameter manipulation. Insufficient authorization checks allow non-administrative users to execute critical operations such as stopping or restarting projects and modifying system state.
The file download functionality allows attackers to bypass authentication checks and download files without proper authorization. Insufficient validation of user-supplied parameters also allows access to unintended file paths.
Sensitive JSON responses are encrypted using a hardcoded encryption key and an insecure encryption mode (ECB). This allows attackers to decrypt intercepted communications and access sensitive system data.
User credentials, including passwords and authorization data, are stored in plaintext within local database files. No hashing or encryption mechanisms are applied, resulting in complete exposure of user authentication data if the files are accessed.
The system includes a default FTP service account with static credentials. The password cannot be changed by users, creating a persistent and unmitigable attack surface.
Successful exploitation of these vulnerabilities may allow attackers to:
- Bypass authentication and authorization mechanisms
- Gain administrative or root-level access
- Execute arbitrary system commands
- Access and manipulate industrial control interfaces
- Steal credentials and sensitive configuration data
- Maintain persistent unauthorized access
Because multiple vulnerabilities are chained together and several accounts cannot be disabled, the overall impact is considered critical.
These vulnerabilities were discovered and responsibly reported by independent security researchers in December 2024.
- CVE-2024-55019
- CVE-2024-55020
- CVE-2024-55021
- CVE-2024-55022
- CVE-2024-55023
- CVE-2024-55024
- CVE-2024-55025
- CVE-2024-55026
- CVE-2024-55027
-
CVE-2024-55019: Default HMI service account credentials allowing unauthorized administrative access (CWE-798)
-
CVE-2024-55020: Persistent command injection via the HMI name configuration field leading to privileged command execution after reboot (CWE-78)
-
CVE-2024-55021: Real-time command injection in DHCP configuration allowing immediate arbitrary command execution (CWE-78)
-
CVE-2024-55022: Unauthorized VNC access using built-in service accounts due to improper authorization enforcement (CWE-284)
-
CVE-2024-55023: Unauthorized execution of sensitive HMI control functions via reset_pj.cgi (CWE-285)
-
CVE-2024-55024: Unauthenticated file download and path traversal allowing access to unintended files (CWE-23)
-
CVE-2024-55025: Use of hardcoded cryptographic keys and insecure encryption mode in JSON communication (CWE-321)
-
CVE-2024-55026: Plaintext storage of user credentials in local database files (CWE-256)
-
CVE-2024-55027: Static default FTP account credentials that cannot be modified by administrators (CWE-798)