OTPulse
FeedAboutContact

Circontrol CirCarLife

Act Now10ICS-CERT ICSA-18-305-03Nov 1, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Circontrol CirCarLife versions prior to 4.3.1 contain authentication bypass and credential exposure vulnerabilities. Plaintext credential storage (CWE-288, CWE-522) allows remote attackers without authentication to retrieve stored usernames and passwords, and to access critical system information. This could allow unauthorized access to charging station controls and sensitive operational data.

What this means
What could happen
An attacker could retrieve stored credentials in clear text and access critical information on the CirCarLife charging system, potentially allowing unauthorized control or data theft.
Who's at risk
Organizations running Circontrol CirCarLife electric vehicle charging systems, particularly those with remote management or monitoring capabilities enabled. This affects charging station operators and fleet managers who depend on CirCarLife for operational control.
How it could be exploited
An attacker with network access to the CirCarLife system could exploit weak credential storage (CWE-288, CWE-522) to retrieve plaintext usernames and passwords, then use those credentials to authenticate and access sensitive data or system controls.
Prerequisites
  • Network access to the CirCarLife web interface or API
  • System running CirCarLife version earlier than 4.3.1
  • No authentication required to retrieve stored credentials
remotely exploitableno authentication requiredlow complexityhigh CVSS score (10.0)credentials stored in clear text
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (1)
ProductAffected VersionsFix Status
CirCarLife: all< 4.3.14.3.1
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGRestrict network access to CirCarLife to authorized users only; do not expose to the Internet
HARDENINGPlace CirCarLife systems behind a firewall and isolate from the business network
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CirCarLife to version 4.3.1 or later
HARDENINGIf remote access is required, implement a VPN and keep it updated to the latest version
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/4d60fad2-8fc4-4595-ae7f-fa39bbe2c6e8
Circontrol CirCarLife | CVSS 10 - OTPulse