Cyber Resilience

CVE-2020-16231

High

Published: 19 May 2022

Published
19 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0025 48.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-16231 is a high-severity Use of Password Hash With Insufficient Computational Effort (CWE-916) vulnerability in Bachmann Mx207 Firmware. Its CVSS base score is 7.2 (High).

Operationally, ranked at the 48.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

The affected Bachmann Electronic M-Base Controllers of version MSYS v1.06.14 and later use weak cryptography to protect device passwords. Affected controllers that are actively supported include MX207, MX213, MX220, MC206, MC212, MC220, and MH230 hardware controllers, and affected end-of-life controller…

more

include MC205, MC210, MH212, ME203, CS200, MP213, MP226, MPC240, MPC265, MPC270, MPC293, MPE270, and CPC210 hardware controllers. Security Level 0 is set at default from the manufacturer, which could allow an unauthenticated remote attacker to gain access to the password hashes. Security Level 4 is susceptible if an authenticated remote attacker or an unauthenticated person with physical access to the device reads and decrypts the password to conduct further attacks.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

bachmann
mx207 firmware
≥ 1.06.14
bachmann
mx213 firmware
≥ 1.06.14
bachmann
mx220 firmware
≥ 1.06.14
bachmann
mc206 firmware
≥ 1.06.14
bachmann
mc212 firmware
≥ 1.06.14
bachmann
mc220 firmware
≥ 1.06.14
bachmann
mh230 firmware
≥ 1.06.14
bachmann
mc205 firmware
≥ 1.06.14
bachmann
mc210 firmware
≥ 1.06.14
bachmann
mh212 firmware
≥ 1.06.14
+10 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-916

Information from security contacts highlights password hashing methods with insufficient computational effort, preventing their adoption.

References